North Korea-linked threat actor Kimsuky has been tied to leveraging a newly developed, malicious Google Chrome extension aimed at siphoning sensitive information in the context of its ongoing intelligence gathering endeavors.
In early March 2024, Zscaler’s ThreatLabz exercise, codenamed TRANSLATEXT, revealed an extension capable of gathering sensitive information, including email addresses, usernames, passwords, cookies, and browser screenshots.
A targeted marketing initiative was allegedly designed to counteract the academic community in South Korea, with a specific focus on research and studies related to North Korean politics.
KimSuKy is a notorious group originating from North Korea, first identified in 2012, which has been actively engaged in conducting cyber-attacks, primarily targeting South Korean organizations for financial gain and espionage purposes.
The sibling grouping of the Lazarus Cluster and member of the Reconnaissance Common Bureau (RGB), known by aliases including APT43, Archipelago, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima.
Recently, a cybersecurity threat group was discovered exploiting a previously identified vulnerability in Microsoft Workplace (CVE-2017-11882), dubbed “CVE-2017-11882”, to distribute a keylogger, which has been used in attacks targeting the aerospace and defense sectors with the intention of deploying an espionage tool featuring information gathering and secondary payload execution capabilities.
A previously unknown vulnerability in the backdoor allows attackers to conduct initial reconnaissance, deploy additional malware payloads, and potentially compromise or remotely control the affected system, according to CyberArmor. The marketing campaign, titled ‘Niki’, has been designed to effectively promote the new product line.
While the exact mechanism by which this newly discovered exercise facilitates the activation of an infection chain remains unclear, it is hypothesized that the group may exploit this phenomenon to initiate the process.
The starting point of the assault is a suspicious ZIP file posing as a repository of Korean military history, containing two files: a Hangul Phrase Processor document and an executable.
Upon launching the executable, a PowerShell script is obtained from a malicious server, subsequently transmitting sensitive information about the compromised victim to a publicly accessible GitHub repository, before downloading additional PowerShell code through a Windows shortcut file (LNK).
Zscaler reported discovering a malicious extension, “Google Translate.crx,” created on February 13, 2024, which temporarily hosted the TRANSLATEXT extension, with its distribution method currently unknown.
These records data were stored in the repository from March 7, 2024, only to be deleted the following day, suggesting that Kimsuky aimed to minimize exposure and utilize the malware for a limited period to target specific individuals, according to security researcher Seongsu Park.
A malicious software, TRANSLATEXT, disguises itself as Google Translate to evade security protocols employed by prominent tech firms such as Google, Kakao, and Naver. It employs JavaScript code to circumvent these safeguards, pilfering email addresses, login credentials, and cookies while simultaneously capturing browser screenshots. This nefarious entity then clandestinely transmits the illicitly obtained data.
This advanced tool is designed to fetch instructions from Blogger Blogspot URLs, allowing it to execute tasks such as taking screenshots of newly opened tabs, deleting all cookies from the browser, and more.
“The primary objective of the Kimsuky group is to gather crucial intelligence by conducting surveillance on tutorial and authority figures, according to Park.”
