Hackers abuse Chrome extensions since they can embed malware on many targets by using common extensions in the browser.
These unwanted extensions can gather personal data, display pop-ups, change URLs, and manipulate the browser after loading them.
Zscaler ThreatLabz detected new activity by Kimsuky, a North Korean state-sponsored APT group known for cyber espionage and financial attacks, in March 2024.
Sensitive data, such as email addresses, credentials, and browser screenshots, were stolen using an innovative Google Chrome extension called “TRANSLATEXT” by the team.
“TRANSLATEXT” Chrome Extension
Kimsuky’s infection chain consisted of distributing archive files containing deceptive documents and malicious executables that retrieved PowerShell scripts from distant servers.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
The attackers saved victim data and Chrome extension files on the GitHub account.
The actual delivery method for TRANSLATEXT is still not known; however, there are indications that Kimsuky used Windows registry keys to install the extension without user intervention as part of their changing strategies toward South Korean and international organizations targeted by them.
Kimsuky, a North Korean APT group, briefly uploaded a malicious Chrome extension called TRANSLATEXT to a GitHub account in March 2024.
Disguised as Google Translate, this app contained four JavaScript files with the malicious intent of bypassing security and stealing sensitive information as well as taking screenshots of browsers, researchers said.
The extension targeted South Koreans, specifically Naver, Kakao, and Gmail login pages. The said extension requested extensive permissions so that it could inject scripts into web pages and modify content.
This shows how Kimsuky is adapting its strategies for cyber espionage, which means there is a growing need to watch out against misleading browser extensions.
The group used this complex Chrome extension to target South Korean users, particularly in the education sector.
It uses the dead drop resolver technique to get commands from public blogs and it uses multiple listeners for collecting user information. This is done through HTTP POST requests for C2 communication and b374k webshell to steal data.
Redirecting to legitimate services that do not arouse suspicion and making use of specific Korean domains for hosting malicious scripts form part of Kimsuky’s tactics.
This campaign shows that the group continues to change its cyber espionage techniques, targeting especially those researchers who deal with geopolitics on the Korean peninsula.
A Kimsuky attack was detected, which involved an academic specializing in geopolitics of the Korean peninsula to support the group’s surveillance efforts.
The campaign employs malicious Google Chrome extensions to gather intelligence from South Korean academia.
These demonstrate the current strategies used by Kimsuky and show why it is important to keep updated on North Korea-related threats.
It is advisable for one to be careful when downloading programs from unknown sites in order to minimize risks.
IOCs
Stay in the loop with the latest cybersecurity by following us on Linkedin and X for daily updates!