Attacks with the new Google Translate-spoofing Chrome extension dubbed "TRANSLATEXT" have been deployed by North Korean state-sponsored hacking operation Kimsuky — also known as APT43, Velvet Chollima, Emerald Sleet, Black Banshee, ARCHIPELAGO, and Springtail — as part of a cyberespionage campaign against South Korean academic institutions that has been ongoing since March, according to The Hacker News.
Kimsuky may have leveraged spearphishing and social-engineering tactics to distribute a ZIP archive seemingly about Korean military history that includes an executable, which when launched fetches a PowerShell script that exports targets' data to a GitHub repository that hosts the TRANSLATEXT extension, while delivering another PowerShell code, an analysis from Zscaler ThreatLabz revealed. Aside from circumventing Google, Naver, and Kakao security defenses, TRANSLATEXT also allows email address, credential, and cookie exfiltration, screenshot capturing, and cookie deletion, researchers said.
Such findings follow a CyberArmor report detailing North Korean attackers exploiting an old Microsoft Office vulnerability, tracked as CVE-2017-11882, in attacks aimed at the aerospace and defense industries.