Threat Research

Kimsuky deploys TRANSLATEXT to target South Korean academia

ZScaler

Zscaler ThreatLabz traces Kimsuky deploying a new Chrome extension called TRANSLATEXT for cyber espionage against South Korean academia, stealing emails, credentials, cookies, and screenshots. The campaign leverages attacker-controlled GitHub hosting and decoy Google Translate branding to reach targeted researchers. Hashtags: #Kimsuky #TRANSLATEXT #ChromeExtension #SouthKorea #Academia #GoogleTranslate.crx #Gmail #Naver #Kakao

Keypoints

  • Kimsuky uploaded TRANSLATEXT to their attacker-controlled GitHub repository on March 7, 2024.
  • TRANSLATEXT can bypass security measures for Gmail, Kakao, and Naver to steal information.
  • TRANSLATEXT is designed to steal email addresses, usernames, passwords, cookies, and to capture browser screenshots.
  • Targets appear to be in South Korea’s academic sector, especially researchers involved in North Korea-related politics.
  • The campaign uses a Google Translate–masquerading extension with four malicious JavaScript files and a PowerShell-based delivery chain.
  • The infrastructure includes a dead drop resolver via a blog, multiple download URLs, and domains such as r-e.kr and webman.w3school.cloudns.nz.

MITRE Techniques

  • [T1059.001] Command and Scripting Interpreter: PowerShell – The attacker uses PowerShell script to collect general system information, and uploads it to GitHub. “The PowerShell script from the remote server is responsible for uploading general information about the victim and creating a Windows shortcut that retrieves an additional PowerShell script from the same server.”
  • [T1176] Browser Extensions – Threat actor utilizes TRANSLATEXT for exfiltration and persistence. “TRANSLATEXT for exfiltration and persistence.”
  • [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Threat actor exfiltrates credentials stored in the browser to GitHub. “exfiltrates credentials stored in the browser to GitHub.”
  • [T1113] Screen Capture – TRANSLATEXT captures new browser tabs. “TRANSLATEXT captures new browser tabs.”
  • [T1071.001] Application Layer Protocol: Web Protocols – HTTP protocol to fetch the payload and then upload exfiltrated data. “HTTP protocol to fetch the payload and then upload exfiltrated data.”
  • [T1102.001] Web Service: Dead Drop Resolver – TRANSLATEXT receives commands from the legitimate blog post. “TRANSLATEXT receives commands from the legitimate blog post.”
  • [T1041] Exfiltration Over C2 Channel – Sends collected email address and password through C2 channel. “Sends collected email address and password through C2 channel.”

Indicators of Compromise

  • [Hash] PowerShell script (tys.txt) – bba3b15bad6b5a80ab9fa9a49b643658, 38e27983c757374d9bae36a2e2520e8e
  • [URL] PowerShell script download URLs – hxxp://sdfa.liveblog365[.]com/ares/hades.txt, hxxp://sdfa.liveblog365[.]com/ares/babyhades.txt
  • [URL] Script download URLs – hxxp://ney.r-e[.]kr/mar/tys.txt, hxxp://ney.r-e[.]kr/mar/tys.php
  • [Domain] C2 domain – webman.w3school.cloudns.nz
  • [URL] Dead drop/blog resolver – https://onewithshare.blogspot[.]com/2023/04/10.html
  • [URL] GitHub/update artifacts – https://raw.githubusercontent.com/HelperDav/Web/main/update.xml
  • [URL] Threat actor GitHub – https://github.com/cmastern

Read more: https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint