North Korean state criminals have again been found using malicious Google Chrome extensions to target (primarily) people in South Korea.
This time around, cybersecurity researchers from Zscaler ThreatLabz discovered a new campaign where hackers named Kimsuky (also known as Velvet Chollima, a group known to have ties to the North Korean government) uploaded malware named TRANSLATEXT to their GitHub repository on March 7.
This malware was disguised as a Google Translate extension for the popular browser, but was in fact an infostealer capable of bypassing most security measures and stealing sensitive information from the compromised machine. TRANSLATEXT was specifically designed to steal email addresses, usernames, passwords, and cookies. It is also capable of taking screenshots of the browser.
Aimed at the academic world
Whatever information it collected was returned to the GitHub account. The malware was removed a day later, on March 8, leading researchers to conclude that this was a highly targeted campaign where Kimsuky knew exactly who the data belonged to.
Zscaler did not elaborate on the identities of the victims, but said they were primarily in the education sector in South Korea. “Based on this collected information, we believe academic researchers specializing in the Korean Peninsula, particularly those focused on geopolitical affairs related to North Korea, are among the primary targets of this campaign,” the report said.
One piece of evidence that points to this is a text editor file distributed along with the malware. According to a rough translation, this file is called “Review of a Monograph on Korean Military History.”
It is currently unknown how the malware reaches victims, but researchers suspect that Kimsuky is likely spreading the malware via email.