Kimsuky’s TRANSLATEXT Chrome Extension: A New Tool for Data Theft

June 28, 2024

Zscaler ThreatLabz, in March 2024, observed the North Korea-linked threat group Kimsuky using a new malicious Google Chrome extension, TRANSLATEXT, to steal sensitive information. This extension is capable of gathering email addresses, usernames, passwords, cookies, and browser screenshots. The campaign primarily targets South Korean academia, especially those studying North Korean politics.

Kimsuky, a notorious North Korean hacking group, has been active since 2012. They are known for cyber espionage and financially motivated attacks against South Korean entities. The group is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima, and is said to be a sister group of the Lazarus cluster and part of the Reconnaissance General Bureau (RGB).

Recently, Kimsuky has exploited a known security vulnerability in Microsoft Office (CVE-2017-11882) to distribute a keylogger. They have also used job-themed lures in attacks aimed at the aerospace and defense sectors with the aim to deploy an espionage tool with data gathering and secondary payload execution functionalities. Cybersecurity company CyberArmor stated, "The backdoor, which does not appear to have been publicly documented before, allows the attacker to perform basic reconnaissance and drop additional payloads to take over or remotely control the machine." CyberArmor has named this campaign Niki.

The initial access method for the newly discovered activity remains unclear, but Kimsuky is known to use spear-phishing and social engineering attacks to initiate the infection chain. The attack starts with a ZIP archive that appears to be about Korean military history and contains a Hangul Word Processor document and an executable. Upon launching, it retrieves a PowerShell script from an attacker-controlled server, which exports victim information to a GitHub repository and downloads additional PowerShell code via a Windows shortcut (LNK) file.

Zscaler discovered a GitHub account, created on February 13, 2024, briefly hosting the TRANSLATEXT extension under the name "GoogleTranslate.crx," although its delivery method is currently unknown. Security researcher Seongsu Park noted, "These files were present in the repository on March 7, 2024, and deleted the next day, implying that Kimsuky intended to minimize exposure and use the malware for a short period to target specific individuals."

TRANSLATEXT, pretending to be Google Translate, uses JavaScript code to bypass security measures for services like Google, Kakao, and Naver. It captures email addresses, credentials, cookies, and browser screenshots, and exfiltrates stolen data. It is also designed to receive commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser. Park said, "One of the primary objectives of the Kimsuky group is to conduct surveillance on academic and government personnel in order to gather valuable intelligence."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.