The cyber threat group associated with North Korea, Kimsuky, has been identified as utilizing a new malicious Google Chrome extension to gather sensitive information as part of their ongoing intelligence collection operation.
Zscaler ThreatLabz, who first detected this activity in early March 2024, has named the extension TRANSLATEXT and noted its capability to extract email addresses, usernames, passwords, cookies, and browser screenshots.
This targeted campaign was aimed at South Korean academic institutions, especially those specializing in North Korean political topics.
Kimsuky, a notorious hacking group from North Korea active since 2012, has been involved in cyber espionage and financially motivated attacks against South Korean targets.
Known as a sibling entity of the Lazarus group and a part of the Reconnaissance General Bureau (RGB), Kimsuky is also referred to by various aliases like APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima.
In recent operations, Kimsuky exploited a security vulnerability in Microsoft Office (CVE-2017-11882) to distribute a keylogger and used job-related bait to target aerospace and defense sectors with espionage tools and data gathering capabilities.
CyberArmor, a cybersecurity firm, uncovered a previously undocumented backdoor, named Niki, utilized by Kimsuky to conduct reconnaissance and remotely control compromised systems.
The initial access method for this new activity is currently unknown, but Kimsuky typically uses spear-phishing and social engineering tactics to initiate their attacks.
The attack starts with a ZIP archive posing as Korean military history material, containing a Hangul Word Processor document and an executable file.
When the executable is opened, it retrieves a PowerShell script from a server controlled by the attacker, leading to information about the victim being sent to a GitHub repository and additional PowerShell code being downloaded through a Windows shortcut (LNK) file.
Zscaler discovered a GitHub account, created on February 13, 2024, hosting the TRANSLATEXT extension under the name “GoogleTranslate.crx” briefly, though the delivery method remains unknown.
According to security researcher Seongsu Park, Kimsuky intended to keep exposure low by using the malware for a short period to target specific individuals.
The TRANSLATEXT extension, disguised as Google Translate, bypasses security measures for services like Google, Kakao, and Naver to steal email addresses, credentials, and cookies, take screenshots, and extract data.
It also fetches commands from a Blogger Blogspot URL to capture screenshots of newly opened tabs and delete browser cookies, among other functions.
Park noted, “One of the primary goals of the Kimsuky group is to conduct surveillance on academic and government personnel to gather valuable intelligence.”
