Kimsuky Uses Chrome Extension to Steal Data

The North Korean hacking group known as Kimsuky is employing a new malicious Google Chrome extension named TRANSLATEXT to steal sensitive information as part of their ongoing intelligence operations. Researcher discovered this activity in early March 2024, noting that the extension collects email addresses, usernames, passwords, cookies, and browser screenshots.

This targeted campaign focuses on South Korean academia, particularly researchers specializing in North Korean political affairs. Kimsuky, active since at least 2012, is notorious for cyber espionage and financially motivated attacks against South Korean entities. This group is affiliated with the Lazarus cluster and the Reconnaissance General Bureau (RGB), and is also known by names like APT43, ARCHIPELAGO, and Velvet Chollima.

Recently, Kimsuky has exploited a known Microsoft Office vulnerability (CVE-2017-11882) to distribute a keylogger and used job-themed lures in attacks on the aerospace and defense sectors, aiming to deploy an espionage tool for data collection and secondary payload execution.

Cybersecurity firm reported that the campaign, dubbed Niki, involves a backdoor that performs reconnaissance and drops additional payloads for remote control of the infected machine. The initial access method for the latest activities is unclear, but Kimsuky typically uses spear-phishing and social engineering tactics to initiate infections.

The attack begins with a ZIP file claiming to be about Korean military history, containing a Hangul Word Processor document and an executable. Running the executable triggers a PowerShell script from a server controlled by the attackers, exporting victim information to a GitHub repository and downloading more PowerShell code via a Windows shortcut (LNK) file.

Researcher found that a GitHub account, created on February 13, 2024, briefly hosted the TRANSLATEXT extension as “GoogleTranslate.crx,” although the delivery method remains unknown. The files were available on March 7, 2024, but were deleted the next day, indicating Kimsuky’s intent to limit exposure and target specific individuals.

TRANSLATEXT, disguised as Google Translate, includes JavaScript to bypass security measures for services like Google, Kakao, and Naver. It steals email addresses, credentials, cookies, captures browser screenshots, and exfiltrates the data. Additionally, it can fetch commands from a Blogger Blogspot URL to take screenshots of new tabs and delete browser cookies.

Kimsuky’s main objective is to surveil academic and government personnel to gather valuable intelligence.

To defend against threats like the TRANSLATEXT Chrome extension used by Kimsuky, users should be cautious when installing browser extensions, ensuring they come from trusted sources. Implementing security solutions that can detect and block malicious extensions, educating users on the risks of phishing and social engineering attacks, and keeping all software, including browsers, up to date with the latest security patches are crucial steps in preventing such attacks.