Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

North Korean hackers are using malicious Google Chrome extensions to try and hack your data

North Korea.

North Korean state-sponsored threat actors have been observed, once again, using malicious Google Chrome extensions to (mostly) target people in South Korea.

This time around, cybersecurity researchers from Zscaler ThreatLabz found a new campaign where hackers known as Kimsuky (AKA Velvet Chollima, a group known to be affiliated to the North Korean government) uploaded a piece of malware dubbed TRANSLATEXT to their GitHub repository on March 7. 

This malware was masqueraded to look like a Google Translate extension for the popular browser, but in fact, was an infostealer capable of bypassing most security measures and stealing sensitive information from the compromised machine. TRANSLATEXT was designed specifically to steal email addresses, usernames, passwords, and cookies. Furthermore, it is capable of grabbing screenshots of the browser. 

Targeting academia

Whatever information it gathered, it returned to the GitHub account. The malware was removed a day later, on March 8, which prompted the researchers to conclude that this was a highly targeted campaign in which Kimsuky knew exactly whose data it was going for.

Zscaler did not discuss the victims’ identity in detail, but it did say that they were mostly in the education sector in South Korea. “Based on this gathered information, we surmise that academic researchers specializing in the Korean peninsula, particularly those engaged in geopolitical matters involving North Korea, are among the primary targets of this campaign,” the report states.

One piece of evidence suggesting this is a word processing file being distributed next to the malware, named "Review of a Monograph on Korean Military History," according to a rough translation.

The methods of delivering the malware to the victims is not known at this time, but the researchers speculate that Kimsuky is probably deploying it via email. 

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.