TRANSLATEXT Malware
The North Korean threat group Kimsuky has been associated with a new threatening Google Chrome extension aimed at harvesting sensitive information for intelligence gathering. Discovered by researchers in March 2024, the extension, dubbed TRANSLATEXT, is capable of collecting email addresses, usernames, passwords, cookies and browser screenshots.
This campaign has targeted South Korean academic institutions, particularly those researching North Korean political issues.
Table of Contents
Kimsuky is a Prominent Cybercrime Group
Kimsuky, a well-known hacking group from North Korea active since at least 2012, engages in cyber espionage and financially motivated attacks against South Korean targets. Associated with the Lazarus cluster and part of the Reconnaissance General Bureau (RGB), Kimsuky is also identified by names such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima. Their primary mission is to surveil academic and government personnel to collect valuable intelligence.
Spear-phishing Tactics Often Exploited by Kimsuky
The group has exploited a known Microsoft Office vulnerability (CVE-2017-11882) to distribute a keylogger, using job-themed lures in attacks targeting the aerospace and defense sectors. Their goal is to deploy an espionage tool capable of data collection and secondary payload execution.
This backdoor, which appears to be previously undocumented, enables attackers to conduct basic reconnaissance and deploy additional payloads for taking over or remotely controlling the machine.
The exact method of initial access for this new activity remains unclear, but the group is known to use spear-phishing and social engineering attacks to initiate the infection chain.
TRANSLATEXT Poses as Google Translate to Trick Victims
The starting point of the attack is a ZIP archive that purports to be about Korean military history and which contains two files: A Hangul Word Processor document and an executable.
Launching the executable results in the retrieval of a PowerShell script from an attacker-controlled server, which, in turn, exports information about the compromised victim to a GitHub repository and downloads additional PowerShell code by means of a Windows shortcut (LNK) file.
Researchers note that discovered evidence on GitHub suggest that Kimsuky intended to minimize exposure and use the malware for a short period to target specific individuals.
TRANSLATEXT, which masquerades as Google Translate, incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver; siphon email addresses, credentials, and cookies; capture browser screenshots and exfiltrate stolen data.
It's also designed to fetch commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser, among others.
