North Korean state-sponsored threat actors have been observed, once again, using malicious Google Chrome extensions to (mostly) target people in South Korea.
This time around, cybersecurity researchers from Zscaler ThreatLabz found a new campaign where hackers known as Kimsuky (AKA Velvet Chollima, a group known to be affiliated to the North Korean government) uploaded a piece of malware dubbed TRANSLATEXT to their GitHub repository on March 7.
This malware was masqueraded to look like a Google Translate extension for the popular browser, but in fact, was an infostealer capable of bypassing most security measures and stealing sensitive information from the compromised machine. TRANSLATEXT was designed specifically to steal email addresses, usernames, passwords, and cookies. Furthermore, it is capable of grabbing screenshots of the browser.
Targeting academia
Whatever information it gathered, it returned to the GitHub account. The malware was removed a day later, on March 8, which prompted the researchers to conclude that this was a highly targeted campaign in which Kimsuky knew exactly whose data it was going for.
Zscaler did not discuss the victims’ identity in detail, but it did say that they were mostly in the education sector in South Korea. “Based on this gathered information, we surmise that academic researchers specializing in the Korean peninsula, particularly those engaged in geopolitical matters involving North Korea, are among the primary targets of this campaign,” the report states.
One piece of evidence suggesting this is a word processing file being distributed next to the malware, named “Review of a Monograph on Korean Military History,” according to a rough translation.
The methods of delivering the malware to the victims is not known at this time, but the researchers speculate that Kimsuky is probably deploying it via email.