A North Korean cyber espionage group, Kimsuky, has been identified deploying a new malicious Google Chrome extension called TRANSLATEXT. This extension is designed to steal sensitive information as part of an ongoing intelligence collection effort. The activity was first observed by Zscaler ThreatLabz in early March 2024.
Key Details
- Target: South Korean academia, specifically researchers focusing on North Korean political affairs.
- Capabilities of TRANSLATEXT:
- Gathers email addresses, usernames, passwords, cookies, and browser screenshots.
- Masquerades as Google Translate to bypass security measures on services like Google, Kakao, and Naver.
- Fetches commands from a Blogger Blogspot URL to perform additional malicious activities.
Kimsuky’s Background
Kimsuky has been active since at least 2012 and is notorious for cyber espionage and financially motivated attacks targeting South Korean entities. The group is associated with the Lazarus cluster and is part of the Reconnaissance General Bureau (RGB). It is also tracked under various names, including APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima.
Recent Activities
- Microsoft Office Exploit: In recent weeks, Kimsuky exploited a known security flaw in Microsoft Office (CVE-2017-11882) to distribute a keylogger.
- Job-themed Lures: The group used job-themed lures in attacks on the aerospace and defense sectors, aiming to deploy an espionage tool with data-gathering capabilities and secondary payload execution functionalities.
Attack Methodology
The exact mode of initial access for the new activity is unclear, but Kimsuky is known to use spear-phishing and social engineering to initiate the infection chain. The attack begins with a ZIP archive containing a Hangul Word Processor document and an executable. Executing the file retrieves a PowerShell script from an attacker-controlled server, which exports victim information to a GitHub repository and downloads additional PowerShell code.
GitHub and TRANSLATEXT
Zscaler discovered a GitHub account, created on February 13, 2024, which briefly hosted the TRANSLATEXT extension under the name “GoogleTranslate.crx.” The files were present on March 7, 2024, and deleted the next day, suggesting Kimsuky intended to minimize exposure and target specific individuals.
Expert Insights
Seongsu Park, a security researcher, highlighted that one of Kimsuky’s primary objectives is to conduct surveillance on academic and government personnel to gather valuable intelligence. TRANSLATEXT’s sophisticated capabilities, including JavaScript code to bypass security measures and exfiltrate data, underline the advanced threat posed by this group.
Found this article interesting? Follow us on LinkedIn and Instagram to read more exclusive content we post.