Kimsuky Exploits TRANSLATEXT Chrome Extension to Steal Sensitive Data

In the ever-evolving landscape of cyber threats, the North Korea-linked threat actor known as Kimsuky has once again demonstrated its capabilities and adaptability. Recently, Zscaler ThreatLabz identified Kimsuky using a new malicious Google Chrome extension named TRANSLATEXT to steal sensitive information. This discovery, made in early March 2024, highlights Kimsuky's ongoing intelligence collection efforts targeting specific sectors, primarily focusing on South Korean academia. This blog delves into the intricacies of the TRANSLATEXT extension, its deployment, and the broader implications of Kimsuky's cyber espionage activities.

TRANSLATEXT: A New Tool in Kimsuky's Arsenal

Capabilities of TRANSLATEXT

TRANSLATEXT is a sophisticated and potent tool designed to gather a variety of sensitive information from victims' browsers. This malicious Chrome extension is capable of collecting email addresses, usernames, passwords, cookies, and even capturing browser screenshots. What makes TRANSLATEXT particularly insidious is its ability to masquerade as a legitimate Google Translate extension, incorporating JavaScript code to bypass security measures implemented by services such as Google, Kakao, and Naver. By appearing as a benign and useful tool, TRANSLATEXT can deceive users into installing it, thereby giving Kimsuky access to a treasure trove of personal and sensitive data.

Delivery and Execution

The exact delivery method of TRANSLATEXT remains unclear, which adds to the challenge of defending against it. However, Kimsuky is well-known for leveraging sophisticated spear-phishing and social engineering attacks to trick targets into initiating the infection chain. Typically, the attack begins with a ZIP archive that appears to be related to Korean military history. This archive contains two files: a Hangul Word Processor document and an executable file. When the executable is launched, it retrieves a PowerShell script from a server controlled by the attackers. This script then exports information about the compromised victim to a GitHub repository and downloads additional PowerShell code through a Windows shortcut (LNK) file.

This multi-stage attack process demonstrates the level of sophistication and planning behind Kimsuky's operations. By using a familiar and seemingly legitimate document, the attackers lower the likelihood of raising suspicion among their targets. The use of GitHub for initial data export also showcases an innovative approach to blending malicious activities with regular internet traffic, making it harder for traditional security systems to detect and block the malicious actions.

Targeted Campaigns Against South Korean Academia

Focus on North Korean Political Affairs

The recent campaign involving TRANSLATEXT has specifically targeted South Korean academia, with a particular focus on researchers and scholars who study North Korean political affairs. This strategic targeting aligns with Kimsuky's broader objectives of gathering valuable intelligence that can aid North Korea's geopolitical and strategic interests. By infiltrating the systems of individuals who possess critical insights into North Korean politics, Kimsuky aims to obtain information that can provide a significant advantage to their home country.

Brief Deployment and Minimizing Exposure

One notable aspect of this campaign is the brief deployment of the TRANSLATEXT extension. Zscaler observed that the extension was hosted on a GitHub account created on February 13, 2024, under the name "GoogleTranslate.crx." The files associated with TRANSLATEXT were present in the repository on March 7, 2024, but were deleted the next day. This brief window of activity implies that Kimsuky intended to minimize exposure and use the malware for a short period to target specific individuals. By quickly removing the files, the attackers aimed to reduce the likelihood of detection and analysis by security researchers and law enforcement agencies.

Kimsuky's Broader Threat Landscape

A History of Cyber Espionage

Kimsuky is not a new player in the world of cyber espionage. The group has been active since at least 2012 and has built a notorious reputation for orchestrating cyber espionage and financially motivated attacks primarily targeting South Korean entities. Kimsuky is a sister group of the Lazarus cluster and operates as part of the Reconnaissance General Bureau (RGB), North Korea's primary intelligence agency. Over the years, Kimsuky has been tracked under various names, including APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima.

The group's activities have ranged from stealing classified information to financial fraud and ransomware attacks. Their adaptability and persistence have made them one of the most formidable cyber threat actors linked to North Korea. Kimsuky's ability to blend cyber espionage with financially motivated operations indicates a versatile approach to achieving their objectives, whether it involves gathering intelligence or generating revenue to support North Korea's regime.

Recent Exploits and Attack Vectors

In recent weeks, Kimsuky has continued to demonstrate its expertise in exploiting vulnerabilities and employing various attack vectors. One notable example is their exploitation of a known security flaw in Microsoft Office (CVE-2017-11882). This vulnerability, which has been widely recognized and patched by Microsoft, allowed Kimsuky to distribute a keylogger. By exploiting this flaw, Kimsuky could capture keystrokes and obtain sensitive information from infected systems.

Additionally, Kimsuky has employed job-themed lures in attacks aimed at the aerospace and defense sectors. These lures are designed to attract individuals seeking employment opportunities, tricking them into opening malicious documents or clicking on compromised links. Once the target engages with the lure, Kimsuky deploys an espionage tool capable of data gathering and secondary payload execution. This tool allows the attackers to exfiltrate valuable information and potentially gain control over the compromised system.

Undocumented Backdoor for Reconnaissance

CyberArmor, a cybersecurity company, reported that Kimsuky employs a backdoor that had not been publicly documented before. This backdoor allows the attacker to perform basic reconnaissance on the infected machine and remotely control it. The backdoor's capabilities include executing additional payloads, which can further compromise the system or facilitate the exfiltration of sensitive data. This previously undocumented backdoor showcases Kimsuky's continuous development of new tools and techniques to maintain their foothold in compromised networks.

The Implications of Kimsuky's Activities

Threat to South Korean Academia

The recent campaign involving TRANSLATEXT highlights the significant threat posed by Kimsuky to South Korean academia. By targeting researchers and scholars focused on North Korean political affairs, Kimsuky aims to gather intelligence that can inform North Korea's strategic decisions. The sensitive nature of the information held by these individuals makes them prime targets for espionage activities. The successful infiltration of academic networks can provide Kimsuky with valuable insights into South Korean perspectives on North Korea, policy developments, and potential vulnerabilities.

Broader Cybersecurity Implications

Kimsuky's activities also have broader implications for the cybersecurity landscape. The group's ability to develop and deploy sophisticated malware like TRANSLATEXT demonstrates the evolving nature of cyber threats. Organizations and individuals must remain vigilant and adopt robust cybersecurity measures to defend against such advanced persistent threats. This includes regular updates and patching of software, employee training on recognizing phishing attempts, and implementing multi-factor authentication to enhance security.

The use of legitimate platforms like GitHub to host and distribute malware underscores the need for continuous monitoring and analysis of online repositories. Cybersecurity researchers and companies must collaborate to identify and mitigate emerging threats promptly. The rapid deployment and removal of TRANSLATEXT highlight the importance of real-time threat intelligence and proactive defense strategies.

Conclusion

At digiALERT, we recognize the critical importance of staying ahead of evolving cyber threats. Kimsuky's recent use of the TRANSLATEXT Chrome extension exemplifies the sophisticated tactics employed by advanced persistent threats. By targeting South Korean academia and leveraging social engineering techniques, Kimsuky continues to demonstrate its ability to infiltrate and compromise sensitive information.

The brief deployment of TRANSLATEXT, coupled with its ability to masquerade as a legitimate extension, underscores the necessity for robust cybersecurity measures. Organizations must implement comprehensive defenses, including regular software updates, multi-factor authentication, and continuous monitoring of online repositories.

As cyber threats evolve, it is essential to remain vigilant and proactive. At digiALERT, we are committed to providing cutting-edge security solutions and threat intelligence to protect our clients from such advanced threats. By understanding the tactics of adversaries like Kimsuky, we can better prepare and defend against future cyber espionage activities.