Kimsuky Deploys TRANSLATEXT Chrome Extension

June 28, 2024, 7:58 a.m.

Description

In March 2024, the cybersecurity firm Zscaler observed a new activity from Kimsuky, a North Korean state-sponsored hacker group. They employed a malicious Google Chrome extension named 'TRANSLATEXT' specifically crafted to steal email addresses, usernames, passwords, cookies, and capture browser screenshots. The primary targets appear to be academic researchers in South Korea specializing in geopolitical issues related to the Korean peninsula. The extension bypassed security measures of prominent email providers and exfiltrated stolen data via a GitHub repository controlled by the threat actors.

External References

https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia
https://otx.alienvault.com/pulse/667e6a3f7625d7dc706f0d31
Tags
malware
north korea
cyber espionage
credential theft
2024-06-28
chrome extension

Date

  • Created: June 28, 2024, 7:46 a.m.
  • Published: June 28, 2024, 7:46 a.m.
  • Modified: June 28, 2024, 7:58 a.m.

Indicators

  • https://webman.w3school.cloudns.nz/config.php
  • https://webman.w3school.cloudns.nz
  • http://viaweb.co.kr
  • http://sdfa.liveblog365.com/ares/hades.txt
  • http://sdfa.liveblog365.com/ares/babyhades.txt
  • http://ney.r-e.kr/mar/tys.txt
  • http://ney.r-e.kr/mar/tys.php
  • webman.w3school.cloudns.nz
  • ney.r-e.kr
  • sdfa.liveblog365.com
Download all indicators here!

Attack Patterns

  • TRANSLATEXT
  • Kimsuky

Additional Informations

  • Education