Kimsuky APT Attack Detection: North Korean Hackers Abuse the TRANSLATEXT Chrome Extension to Steal Sensitive Data
Table of contents:
The nefarious North Korea-linked threat actor known as Kimsuky APT group uses a novel malicious Google Chrome extension dubbed “TRANSLATEXT” for cyber espionage to illicitly collect sensitive user data. The observed ongoing campaign, which started in the early spring of 2024, is primarily targeting South Korean academic institutions.
Detect Kimsuky Campaign Leveraging TRANSLATEXT
Seeing the APT threat is on the rise due to intensifying geopolitical tensions, security professionals should stay on top of potential attacks using next-gen tools for advanced threat detection & hunting.
Rely on SOC Prime Platform for collective cyber defense to proactively identify suspicious activity linked to APTs, including the latest cyber espionage campaign by Kimsuky leveraging a malicious TRANSLATEXT extension to obtain access to sensitive data. Below, you can find a dedicated Sigma rule by our keen Threat Bounty developer Sittikorn Sangrattanapitak, aimed at checking the installation of the malicious Chrome extension.
The rule is compatible with 27 SIEM, EDR, and Data Lake solutions and mapped to MITRE ATT&CK® framework. Additionally, the detection is enriched with relevant metadata and CTI references to streamline threat investigation.
Security professionals seeking more detection content linked to Kimsuky APT can access the broader Sigma rules stack aggregated in the Threat Detection Marketplace. Just hit the Explore Detection buttons below and immediately drill down to the rule collection, with new detections being added daily.
Whether you’re a seasoned Threat Hunter, DFIR expert, Sigma rules specialist, or SOC Analyst eager to contribute to the collective good, you can join SOC Prime’s world’s first detection engineering crowdsourcing initiative. Become a Threat Bounty Program member to unleash your personal talent, improve detection engineering & threat hunting skills, expand technology expertise, and obtain financial benefits for your contribution.
Attack Analysis Linked to Kimsuky Using TRANSLATEXT Chrome Extension
Since early spring 2024, Zscaler ThreatLabz has been keeping an eye on the ongoing offensive activity linked to the Kimsuky APT gang targeting the South Korean academic industry sector, specifically focused on political research related to North Korea. Kimsuky, a hacking group based in North Korea and tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, or TA406, has been notorious for over a decade for conducting cyber espionage and financially motivated attacks aimed at South Korean entities. In the latest campaign, adversaries weaponize a harmful Google Chrome add-on called TRANSLATEXT, which is disguised as Google Translate, to collect email addresses, credentials, or cookies, and capture browser screenshots from web browsers.
In the first decade of March 2024, Kimsuky uploaded TRANSLATEXT to their GitHub repository under their control. This extension bypasses security measures for major email providers to extract sensitive information.
The attack flow starts with a ZIP archive disguised as containing Korean military history data. The archive contains two files: a document in the Hangul Word Processor format and an executable file. Running the executable file triggers the download of a PowerShell script from an adversary server. The latter then sends information about the compromised victim to a GitHub repository and downloads further PowerShell code using an LNK file.
Defenders recommend avoiding installing programs from untrusted sources to mitigate the risks related to the latest Kimsuky campaign. This is imperative for remaining cyber vigilant and preventing potential data breaches. Stay ahead of emerging threats and future-proof your organization’s cybersecurity posture by leveraging SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation.