North Korean hackers are using malicious Google Chrome extensions to try and hack your data

News
By
published

Kimsuky spreads fake Google Translate Chrome extension

North Korea
(Image credit: Etereuti / Pixabay)

North Korean state-sponsored threat actors have been observed, once again, using malicious Google Chrome extensions to (mostly) target people in South Korea.

This time around, cybersecurity researchers from Zscaler ThreatLabz found a new campaign where hackers known as Kimsuky (AKA Velvet Chollima, a group known to be affiliated to the North Korean government) uploaded a piece of malware dubbed TRANSLATEXT to their GitHub repository on March 7. 

This malware was masqueraded to look like a Google Translate extension for the popular browser, but in fact, was an infostealer capable of bypassing most security measures and stealing sensitive information from the compromised machine. TRANSLATEXT was designed specifically to steal email addresses, usernames, passwords, and cookies. Furthermore, it is capable of grabbing screenshots of the browser. 

Targeting academia

Whatever information it gathered, it returned to the GitHub account. The malware was removed a day later, on March 8, which prompted the researchers to conclude that this was a highly targeted campaign in which Kimsuky knew exactly whose data it was going for.

Zscaler did not discuss the victims’ identity in detail, but it did say that they were mostly in the education sector in South Korea. “Based on this gathered information, we surmise that academic researchers specializing in the Korean peninsula, particularly those engaged in geopolitical matters involving North Korea, are among the primary targets of this campaign,” the report states.

One piece of evidence suggesting this is a word processing file being distributed next to the malware, named "Review of a Monograph on Korean Military History," according to a rough translation.

The methods of delivering the malware to the victims is not known at this time, but the researchers speculate that Kimsuky is probably deploying it via email. 

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.