Zscaler ThreatLabz has uncovered new activity from the notorious North Korean-backed advanced persistent threat (APT) group tracked as Kimsuky.
Kimsuky, aka APT43, Emerald Sleet, and Velvet Chollima, known for its cyber espionage and financially motivated attacks, has been primarily targeting South Korean entities since its emergence in 2013. The latest findings reveal that Kimsuky has developed a new Google Chrome extension named “Translatext” to further their espionage efforts, specifically targeting the South Korean academic sector.
Kimsuky has a history of employing various tactics, techniques, and procedures (TTPs) in its campaigns, including the use of malicious Google Chrome extensions. In July 2022, it was reported that Kimsuky had used similar extensions to target users in the US, Europe, and South Korea.
Translatext, a seemingly innocuous Chrome extension, was uploaded to Kimsuky's GitHub repository on March 7, 2024. This extension is designed to steal a wide range of sensitive information, including email addresses, usernames, passwords, cookies, and browser screenshots. It can bypass security measures of several major email service providers, such as Gmail, Kakao, and Naver, which are widely used in South Korea.
The primary targets of this attack are individuals in the South Korean academic field, particularly those engaged in political research related to North Korean affairs. The attack typically begins with a ZIP archive that claims to contain information about Korean military history. This archive includes a Hangul Word Processor document and an executable file. When the executable is launched, it retrieves a PowerShell script from an attacker-controlled server. This script exports information about the compromised victim to a GitHub repository and downloads additional PowerShell code via a Windows shortcut (LNK) file.
The GitHub account hosting Translatext was created on February 13, 2024, and briefly hosted the extension under the name “GoogleTranslate.crx.”
The exact delivery method remains unknown as of now. Besides stealing email addresses, credentials, cookies, the extension fetches commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser.