Kimsuky Deploys TRANSLATEXT Chrome Extension

June 28, 2024, 7:58 a.m.

Tags
malware
north korea
cyber espionage
credential theft
2024-06-28
chrome extension
External References
Description

In March 2024, the cybersecurity firm Zscaler observed a new activity from Kimsuky, a North Korean state-sponsored hacker group. They employed a malicious Google Chrome extension named 'TRANSLATEXT' specifically crafted to steal email addresses, usernames, passwords, cookies, and capture browser screenshots. The primary targets appear to be academic researchers in South Korea specializing in geopolitical issues related to the Korean peninsula. The extension bypassed security measures of prominent email providers and exfiltrated stolen data via a GitHub repository controlled by the threat actors.

Date

Published: June 28, 2024, 7:46 a.m.

Created: June 28, 2024, 7:46 a.m.

Modified: June 28, 2024, 7:58 a.m.

Indicators

https://webman.w3school.cloudns.nz/config.php

https://webman.w3school.cloudns.nz

http://viaweb.co.kr

http://sdfa.liveblog365.com/ares/hades.txt

http://sdfa.liveblog365.com/ares/babyhades.txt

http://ney.r-e.kr/mar/tys.txt

http://ney.r-e.kr/mar/tys.php

Download all indicators here!

Attack Patterns

TRANSLATEXT

Kimsuky

T1102.001

T1555.003

T1059.001

T1113

T1071.001

T1176

T1041

Additional Informations

Education