A North Korean-linked threat actor known as Kimsuki has been linked to the use of a new malicious Google Chrome extension designed to steal sensitive information as part of ongoing intelligence-gathering efforts.
Zscaler ThreatLabz which is observed in early March 2024, the extension was codenamed TRANSLATEXT, highlighting its ability to collect email addresses, usernames, passwords, cookies, and browser screenshots.
The targeted campaign is believed to have been directed against South Korean academics, particularly those involved in North Korean political affairs.
Kimsuki is a a famous hacking team from North Korea, which is known to have been active since at least 2012, orchestrating cyberespionage and financially motivated attacks targeting South Korean organizations.
A sister group to the Lazarus cluster and part of the Intelligence General Bureau (RGB), it is too is tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail and Velvet Chollima.
In recent weeks, the group has armed known security flaw in Microsoft Office (CVE-2017-11882) to spread keylogger and used work-themed lures in attacks targeting the aerospace and defense sectors to destroy an espionage tool with data collection functions and the execution of a secondary payload.
“The backdoor, which does not appear to have been publicly documented before, allows an attacker to perform basic reconnaissance and drop additional payloads to hijack or remotely control a machine,” cyber security company CyberArmor. said. The company was named Niki.
The exact mode of initial access associated with the newly discovered activity is currently unclear, although the group is known to use phishing and social engineering attacks activate the infection chain.
The starting point of the attack is a ZIP archive that purports to be about Korean military history and contains two files: a Hangul text document and an executable file.
Running the executable causes a PowerShell script to be retrieved from a server controlled by the attacker, which in turn exports information about the compromised victim to a GitHub repository and loads additional PowerShell code using a Windows Shortcut (LNK) file.
Zscaler said he found it A GitHub accountcreated on February 13, 2024, briefly hosting the TRANSLATEXT extension under the name “GoogleTranslate.crx”, although its delivery method is currently unknown.
“These files were in storage on March 7, 2024 and were deleted the next day, which means that Kimsuki intended to minimize exposure and use the malware for a short period to target specific individuals,” said security researcher Seongsoo Park.
TRANSLATEXT, which pretends to be Google Translate, includes JavaScript code to bypass the security measures of services such as Google, Kakao and Naver; browse email addresses, credentials and cookies; take screenshots of the browser; and steal the stolen data.
It is also designed to receive commands from the Blogger Blogspot URL to take screenshots of recently opened tabs and delete all cookies from the browser, among other things.
“One of the main tasks of Kimsuki’s group is to conduct surveillance on academic and government personnel in order to gather valuable intelligence,” Park said.
