A North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension designed to steal sensitive information as part of an ongoing intelligence gathering operation.
Zscaler ThreatLabz, which observed this activity in early March 2024, codenamed the extension TRANSLATEXT and highlighted its ability to collect email addresses, usernames, passwords, cookies, and browser screenshots.
The targeted attack is said to be aimed at South Korean academia, particularly those focusing on North Korean political issues.
Kimsuky is a notorious North Korean hacking group known to have been active since at least 2012, orchestrating cyber espionage and financially motivated attacks targeting South Korean organizations.
A sister group to the Lazarus cluster and part of the Reconnaissance General Bureau (RGB), the group is also tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail and Velvet Chollima.
In recent weeks, the group has weaponized a known security flaw in Microsoft Office (CVE-2017-11882) to distribute keyloggers and used occupation-themed bait in attacks aimed at the aerospace and defense sectors, aiming to drop espionage tools with data collection and secondary payload execution capabilities.
“The backdoor, which does not appear to have been publicly documented before, allows attackers to perform basic reconnaissance and drop additional payloads to take over or remotely control the machine,” said cybersecurity firm CyberArmor, which has named the attack Niki.
The exact mode of initial access associated with this newly discovered campaign is currently unknown, however, the group is known to utilize spear phishing and social engineering attacks to activate the infection chain.
The starting point of the attack is a ZIP archive purporting to be about Korean military history and containing two files: a Hangul word processor document and an executable file.
Once launched, the executable retrieves a PowerShell script from an attacker-controlled server, exports information about the compromised victim to a GitHub repository, and downloads additional PowerShell code via a Windows shortcut (LNK) file.
Zscaler said it discovered that a GitHub account created on February 13, 2024, temporarily hosted the TRANSLATEXT extension under the name “GoogleTranslate.crx,” but that it was currently unclear how it was distributed.
“These files were present in the repository on March 7, 2024, and were removed the following day, indicating that Kimsky intended to minimize exposure and target specific individuals with the malware in a short period of time,” said security researcher Seongsoo Park.
Posing as Google Translate, TRANSLATEXT contains JavaScript code that allows it to circumvent security measures of services like Google, Kakao and Naver, steal email addresses, credentials and cookies, capture browser screenshots and exfiltrate stolen data.
It is also designed to take commands from a Blogger Blogspot URL in order to take screenshots of newly opened tabs and delete all cookies from the browser.
“One of the Kimsuki group’s main objectives is to spy on academics and government officials to gather valuable information,” Park said.
