
Espionage Extension: Kimsuky's TRANSLATEXT Infiltrates South Korean Academia
Indicators of Compromise
APT Groups1
<p><b>Summary of Actor</b>:Kimsuky, also known as Velvet Chollima, is a North Korean threat actor group primarily engaged in cyber espionage. They are known for targeting South Korea, Japan, and the United States, with a focus on government, think tanks, and human rights organizations.</p><p><b>General Features</b>:Kimsuky employs phishing and social engineering techniques to gain initial access, often using spear-phishing emails with malicious attachments or links. They leverage publicly available tools and custom malware to conduct their operations.</p><p><b>Related Other Groups</b>: APT37,APT38</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Suspicious email attachments and links</li><li>Use of PowerShell for command execution</li><li>Domain generation algorithms (DGA)</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: Kimsuky has been active in targeting COVID-19 vaccine developers, conducting phishing campaigns to steal sensitive information related to vaccine research.</li><li><b>Emerging Trends </b>: Recent observations indicate a shift towards targeting cloud services and employing advanced obfuscation techniques to evade detection.</li></ul></p>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
Remediations for Kimsuky's TRANSLATEXT Campaign
T1059.001 - Command and Scripting Interpreter: PowerShell
PowerShell Logging: Enable detailed logging to monitor for suspicious commands.
Restrict PowerShell Usage: Enforce execution policies like AllSigned and limit usage to specific roles.
Endpoint Protection: Deploy solutions that detect and block malicious PowerShell activities.
T1176 - Browser Extensions
Control Extension Installation: Use policies to allow only approved extensions and regularly audit them.
Enhance Browser Security: Configure browser settings to minimize extension permissions.
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
Disable Credential Storage: Prevent browsers from saving credentials through settings or Group Policy.
Use Password Managers: Implement secure password management solutions.
Monitor Credential Usage: Regularly audit and monitor stored credentials for unauthorized access.
T1113 - Screen Capture
Application Whitelisting: Allow only authorized applications to capture screen content.
Monitoring Screen Capture: Set up alerts for unauthorized screen capture activities.
T1071.001 - Application Layer Protocol: Web Protocols
Network Traffic Analysis: Monitor HTTP traffic for unusual patterns.
Web Filtering: Block access to known malicious URLs and domains.
SSL Inspection: Analyze encrypted traffic to detect malicious activities.
T1102.001 - Web Service: Dead Drop Resolver
Monitor Web Services: Track and analyze web service usage for anomalies.
Block Malicious Services: Prevent access to known malicious web services.
T1041 - Exfiltration Over C2 Channel
Data Loss Prevention (DLP): Use DLP solutions to detect and block unauthorized data exfiltration.
Network Segmentation: Limit data movement within the network to reduce breach impact.
Anomaly Detection: Implement systems to identify and respond to unusual data transfers.
By applying these measures, organizations can enhance their defenses against Kimsuky's TRANSLATEXT campaign and other similar threats.