Hackers exploit Chrome extensions to embed malware, gather personal data, display pop-ups, change URLs, and manipulate the browser.
Zscaler ThreatLabz detected new activity by Kimsuky, a North Korean state-sponsored APT group, in March 2024.
They used a malicious Chrome extension called “TRANSLATEXT” to steal sensitive data, including email addresses, credentials, and browser screenshots.
“TRANSLATEXT” Chrome Extension
Kimsuky’s infection chain involved distributing archive files with deceptive documents and malicious executables that retrieved PowerShell scripts from remote servers.
The attackers stored victim data and Chrome extension files on their GitHub account.
While the exact delivery method for TRANSLATEXT remains unknown, there are indications that Kimsuky used Windows registry keys to install the extension without user intervention. This reflects their evolving strategies targeting South Korean and international organizations.
In March 2024, Kimsuky, a North Korean APT group, briefly uploaded a malicious Chrome extension called TRANSLATEXT to GitHub.
Disguised as Google Translate, it contained JavaScript files to bypass security, steal information, and take browser screenshots. The extension targeted Naver, Kakao, and Gmail login pages, requesting extensive permissions to inject scripts and modify content.
This incident underscores Kimsuky’s evolving cyber espionage tactics and the need for vigilance against deceptive browser extensions.
The group used this complex Chrome extension to target South Korean users, especially in the education sector.
It employs the dead drop resolver technique to receive commands from public blogs and uses multiple listeners to collect user information via HTTP POST requests for C2 communication and the b374k webshell to steal data.
Kimsuky’s tactics include redirecting to legitimate services to avoid suspicion and using specific Korean domains to host malicious scripts.
This campaign highlights Kimsuky’s evolving cyber espionage techniques, particularly against researchers focused on Korean peninsula geopolitics. One attack involved an academic specializing in this area to support the group’s surveillance efforts.
The campaign uses malicious Chrome extensions to gather intelligence from South Korean academia.
This highlights Kimsuky’s strategies and the need to stay informed about North Korean threats.
Exercise caution when downloading programs from unknown sites to minimize risks.
IOCs
.webp)
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment