Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia

Kimsuky Group Using Chrome Extensions to Steal Victim Data

Malicious Google Extension Uses JavaScripts to Collect User Credentials, Cookies
Kimsuky Group Using Chrome Extensions to Steal Victim Data
Image: Shutterstock

North Korean espionage group Kimsuky has used a malicious Google Chrome extension since March to exfiltrate sensitive information from South Korean academic institutions conducting research on North Korean affairs, according to researchers.

See Also: 2024 Fraud Insights Report

Cybersecurity company Zscaler said the threat group disguised a malicious Google Chrome extension it calls TRANSLATEXT as a legitimate Google Translate extension and registered it with a Windows registry key that enables the Chrome browser to enforce the installation of extensions without user permission or intervention.

Once installed, the malicious extension obtains user permissions and deploys four malicious JavaScript files to bypass security controls; capture screenshots; steal email addresses, credentials and cookies; and exfiltrate stolen data to a remote server.

Kimsuky Group is a North Korean cyberespionage group that gathers vital intelligence from South Korean government institutions, think-tanks, academic institutions and private sector organizations.

The group in March targeted individuals and organizations that use products and services offered by Seoul-based security company SGA Solutions and attempted to infect computers with info-stealer malware by placing a malicious installation package in a web page that redirected to a site to download a security program (see: Kimsuky Group Tied to Malware Attacks on South Korean Firms).

Zscaler said it identified the malicious Google Chrome extension while researching an ongoing malicious campaign in which the cyberespionage group sent phishing emails to South Korean targets and disguised attached Windows executables as Korean military history documents to evade attention.

An investigation led researchers to a Kimsuky-controlled GitHub account where a threat actor using the moniker "Piano" uploaded the TRANSLATEXT extension and an XML file on Mar. 7 before removing it the following day, possibly to minimize exposure.

Researchers said Kimsuky designed the malicious extension to inject specific scripts into web pages depending on the sites visited by targeted users. The targeted sites included Gmail, popular Korean search and email platform Naver and the website of South Korean internet conglomerate Kakao.

These scripts enabled threat actors to bypass security measures and steal sensitive information about users, including their email passwords and browsing history.

The researchers found various tactics and tools in the campaign that mirrored some of the ones Kimsuky deployed in previous campaigns. These included using the b374k webshell to exfiltrate stolen information, redirecting victims to legitimate web domains such as Gmail to lower suspicion, and reusing domains registered by a Korean ISP named "viaweb" to host malicious PowerShell scripts.

In July 2022, U.S. malware research firm Volexity said a North Korean threat group it tracked as SharpTongue used malicious Google Chrome extensions to target individuals in the U.S., Europe and South Korea who were researching "North Korea, nuclear issues, weapons systems and other matters of strategic interest to North Korea."

The firm said SharpTongue's attack tools and techniques overlapped with those of Kimsuky Group, except that the group did not try to steal usernames and passwords but directly exfiltrated data from victims' Gmail and AOL webmail accounts.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.