North Korean hackers are using malicious Google Chrome extensions to try and hack your data

Kimsuky spreads fake Google Translate Chrome extension

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

North Korean state-sponsored threat actors have been observed, once again, using maliciousGoogleChrome extensions to (mostly) target people in South Korea.

This time around, cybersecurity researchers from Zscaler ThreatLabz found a new campaign where hackers known as Kimsuky (AKA Velvet Chollima, a group known to be affiliated to the North Korean government) uploaded a piece ofmalwaredubbed TRANSLATEXT to their GitHub repository on March 7.

This malware was masqueraded to look like a Google Translate extension for the popularbrowser, but in fact, was an infostealer capable of bypassing most security measures and stealing sensitive information from the compromised machine. TRANSLATEXT was designed specifically to steal email addresses, usernames, passwords, and cookies. Furthermore, it is capable of grabbing screenshots of the browser.

Targeting academia

Whatever information it gathered, it returned to the GitHub account. The malware was removed a day later, on March 8, which prompted the researchers to conclude that this was a highly targeted campaign in which Kimsuky knew exactly whose data it was going for.

Zscaler did not discuss the victims’ identity in detail, but it did say that they were mostly in the education sector in South Korea. “Based on this gathered information, we surmise that academic researchers specializing in the Korean peninsula, particularly those engaged in geopolitical matters involving North Korea, are among the primary targets of this campaign,” the report states.

One piece of evidence suggesting this is a word processing file being distributed next to the malware, named “Review of a Monograph on Korean Military History,” according to a rough translation.

The methods of delivering the malware to the victims is not known at this time, but the researchers speculate that Kimsuky is probably deploying it via email.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Wales vs Fiji live stream: how to watch 2024 rugby union Autumn International online from anywhere