Headline
Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data
The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that’s designed to steal sensitive information as part of an ongoing intelligence collection effort. Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames,
Cyber Espionage / Cyber Attack
The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that’s designed to steal sensitive information as part of an ongoing intelligence collection effort.
Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames, passwords, cookies, and browser screenshots.
The targeted campaign is said to have been directed against South Korean academia, specifically those focused on North Korean political affairs.
Kimsuky is a notorious hacking crew from North Korea that’s known to be active since at least 2012, orchestrating cyber espionage and financially motivated attacks targeting South Korean entities.
A sister group of the Lazarus cluster and part of the Reconnaissance General Bureau (RGB), it’s also tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima.
In recent weeks, the group has weaponized a known security flaw in Microsoft Office (CVE-2017-11882) to distribute a keylogger and has used job-themed lures in attacks aimed at aerospace and defense sectors with an aim to drop an espionage tool with data gathering and secondary payload execution functionalities.
“The backdoor, which does not appear to have been publicly documented before, allows the attacker to perform basic reconnaissance and drop additional payloads to take over or remotely control the machine,” cybersecurity company CyberArmor said. It has given the campaign the name Niki.
The exact mode of initial access associated with the newly discovered activity is currently unclear, although the group is known to leverage spear-phishing and social engineering attacks to activate the infection chain.
The starting point of the attack is a ZIP archive that purports to be about Korean military history and which contains two files: A Hangul Word Processor document and an executable.
Launching the executable results in the retrieval of a PowerShell script from an attacker-controlled server, which, in turn, exports information about the compromised victim to a GitHub repository and downloads additional PowerShell code by means of a Windows shortcut (LNK) file.
Zscaler said it found the GitHub account, created on February 13, 2024, briefly hosting the TRANSLATEXT extension under the name “GoogleTranslate.crx,” although its delivery method is presently unknown.
“These files were present in the repository on March 7, 2024, and deleted the next day, implying that Kimsuky intended to minimize exposure and use the malware for a short period to target specific individuals,” security researcher Seongsu Park said.
TRANSLATEXT, which masquerades as Google Translate, incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver; siphon email addresses, credentials, and cookies; capture browser screenshots; and exfiltrate stolen data.
It’s also designed to fetch commands from a Blogger Blogspot URL in order to take screenshots of newly opened tabs and delete all cookies from the browser, among others.
“One of the primary objectives of the Kimsuky group is to conduct surveillance on academic and government personnel in order to gather valuable intelligence,” Park said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot.
Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT. The artifacts "almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers' server," Kaspersky researcher Sergey Puzan said. HZ RAT was first
USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.
The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises. Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year. Cloud Atlas, active since at
A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis.
Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers
The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by
CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.
The malware is using spreadsheets, documents, and other types of Microsoft Office attachments in a new and improved version that is often able to bypass email gateway-security scanners.
An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020. "Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their
Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other... [[ This is only the beginning! Please visit the blog for the complete entry ]]