TRANSLATEXT | |
Type of Malware | Trojan |
Country of Origin | North Korea |
Targeted Countries | South korea |
Date of Initial Activity | 2024 |
Associated Groups | APT43 |
Motivation | Cyberwarfare |
Attack Vectors | Phishing |
Type of Information Stolen | Browser Information |
Targeted Systems | Windows |
Overview
In early 2024, the cybersecurity landscape witnessed the emergence of a sophisticated new threat known as TRANSLATEXT, attributed to the North Korean state-backed threat actor Kimsuky, also identified as APT43 or Velvet Chollima. Kimsuky, renowned for its targeted cyber espionage operations, has a history of focusing on South Korean entities, including government bodies, think tanks, and academic institutions. This latest campaign highlights the group’s continued evolution and adaptation in its cyber warfare tactics. TRANSLATEXT, disguised as a seemingly innocuous Google Chrome extension, is a testament to the threat actor’s ingenuity in blending into the digital ecosystem to achieve their malicious objectives.
TRANSLATEXT was first detected in March 2024 when Zscaler ThreatLabz uncovered its deployment through a malicious Google Chrome extension uploaded to an attacker-controlled GitHub repository. This extension, masquerading as a legitimate Google Translate tool, is designed to exfiltrate sensitive information including email addresses, usernames, passwords, and browser cookies. The malware’s ability to capture browser screenshots further underscores its capability to gather comprehensive data from its victims. The use of TRANSLATEXT reflects Kimsuky’s strategic approach to cyber espionage, utilizing deceptive tactics to infiltrate and compromise targeted systems, specifically within the South Korean academic sector.
Targets
Individuals
Educational Services
How they operate
The operation of TRANSLATEXT begins with its distribution method. The malware is delivered via a Google Chrome extension that masquerades as a legitimate translation tool. This extension is distributed through an attacker-controlled GitHub repository, a platform that adds a veneer of legitimacy to the distribution process. Once installed, the extension requests extensive permissions, including access to user data on all websites visited. This broad access is crucial for TRANSLATEXT’s functionality, as it allows the malware to monitor and capture sensitive information across various sites.
Once activated, TRANSLATEXT deploys a series of JavaScript payloads that facilitate its core operations. The malware injects these scripts into the web pages the user visits, specifically targeting login forms and sensitive information fields. This injection process is designed to capture keystrokes, browser cookies, and form data, including usernames and passwords. By embedding these scripts into the user’s browser environment, TRANSLATEXT effectively bypasses traditional security defenses and collects data without raising immediate suspicion.
An advanced feature of TRANSLATEXT is its ability to capture screenshots of the user’s browser activity. This capability enables the malware to record visual information from web sessions, including sensitive data that may not be directly accessible through text-based data exfiltration methods. Screenshots are particularly useful for capturing complex authentication processes or one-time passwords that may be difficult to extract through standard means.
The malware’s communication mechanism is also noteworthy. TRANSLATEXT uses encrypted channels to transmit collected data back to its command-and-control (C2) servers. This encryption ensures that the exfiltrated data is protected from interception during transit. The C2 infrastructure is designed to handle large volumes of data, indicating the threat actor’s intent to gather extensive intelligence from compromised systems.
In summary, TRANSLATEXT showcases a sophisticated blend of technical strategies aimed at infiltrating and extracting valuable data from targeted systems. Its deployment as a Chrome extension, combined with its use of script injection, data capture, and encrypted communication, highlights the evolving nature of cyber espionage tools. As such, understanding and defending against such advanced threats is essential for organizations and individuals seeking to protect their digital assets and sensitive information from state-sponsored adversaries.
MITRE Tactics and Techniques
Initial Access: Spear Phishing (T1193)
Execution: PowerShell (T1059.001)
Persistence: Browser Extensions (T1176)
Privilege Escalation: None observed
Defense Evasion: Obfuscated Files or Information (T1027)
Credential Access: Input Capture (T1056.001)
Collection: Data from Information Repositories (T1213)
Exfiltration: Exfiltration Over Command and Control Channel (T1041)
Impact: None observed