Campaigns
Espionage Extension: Kimsuky's TRANSLATEXT Infiltrates South Korean Academia

Espionage Extension: Kimsuky's TRANSLATEXT Infiltrates South Korean Academia

APT43KimsukyTRANSLATEXTChrome ExtensionPolitical Research
Kimsuky, a North Korean cyber-espionage group, has deployed a malicious Chrome extension called TRANSLATEXT targeting South Korean academia. The extension is designed to steal sensitive information such as email addresses, passwords, and browser data. This campaign highlights Kimsuky's ongoing efforts to gather intelligence on political affairs related to North Korea.

Indicators of Compromise

sdfa.liveblog365.com
webman.w3school.cloudns.nz
ney.re.kr

APT Groups1

Kimsuky

<p><b>Summary of Actor</b>:Kimsuky, also known as Velvet Chollima, is a North Korean threat actor group primarily engaged in cyber espionage. They are known for targeting South Korea, Japan, and the United States, with a focus on government, think tanks, and human rights organizations.</p><p><b>General Features</b>:Kimsuky employs phishing and social engineering techniques to gain initial access, often using spear-phishing emails with malicious attachments or links. They leverage publicly available tools and custom malware to conduct their operations.</p><p><b>Related Other Groups</b>: APT37,APT38</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Suspicious email attachments and links</li><li>Use of PowerShell for command execution</li><li>Domain generation algorithms (DGA)</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: Kimsuky has been active in targeting COVID-19 vaccine developers, conducting phishing campaigns to steal sensitive information related to vaccine research.</li><li><b>Emerging Trends </b>: Recent observations indicate a shift towards targeting cloud services and employing advanced obfuscation techniques to evade detection.</li></ul></p>

KimsukyEmerald SleetThalliumSharpTongueITG16UAT-5394APT 43Velvet ChollimaTA427KTA082TA406Black BansheeARCHIPELAGO

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

Remediations for Kimsuky's TRANSLATEXT Campaign

T1059.001 - Command and Scripting Interpreter: PowerShell

  1. PowerShell Logging: Enable detailed logging to monitor for suspicious commands.

  2. Restrict PowerShell Usage: Enforce execution policies like AllSigned and limit usage to specific roles.

  3. Endpoint Protection: Deploy solutions that detect and block malicious PowerShell activities.

T1176 - Browser Extensions

  1. Control Extension Installation: Use policies to allow only approved extensions and regularly audit them.

  2. Enhance Browser Security: Configure browser settings to minimize extension permissions.

T1555.003 - Credentials from Password Stores: Credentials from Web Browsers

  1. Disable Credential Storage: Prevent browsers from saving credentials through settings or Group Policy.

  2. Use Password Managers: Implement secure password management solutions.

  3. Monitor Credential Usage: Regularly audit and monitor stored credentials for unauthorized access.

T1113 - Screen Capture

  1. Application Whitelisting: Allow only authorized applications to capture screen content.

  2. Monitoring Screen Capture: Set up alerts for unauthorized screen capture activities.

T1071.001 - Application Layer Protocol: Web Protocols

  1. Network Traffic Analysis: Monitor HTTP traffic for unusual patterns.

  2. Web Filtering: Block access to known malicious URLs and domains.

  3. SSL Inspection: Analyze encrypted traffic to detect malicious activities.

T1102.001 - Web Service: Dead Drop Resolver

  1. Monitor Web Services: Track and analyze web service usage for anomalies.

  2. Block Malicious Services: Prevent access to known malicious web services.

T1041 - Exfiltration Over C2 Channel

  1. Data Loss Prevention (DLP): Use DLP solutions to detect and block unauthorized data exfiltration.

  2. Network Segmentation: Limit data movement within the network to reduce breach impact.

  3. Anomaly Detection: Implement systems to identify and respond to unusual data transfers.

By applying these measures, organizations can enhance their defenses against Kimsuky's TRANSLATEXT campaign and other similar threats.


Observed Countries250

AD (953)
AE (730)
AF (681)
AG (690)
AI (388)
AL (832)
AM (640)
AO (550)
AQ (176)
AR (496)
AS (673)
AT (20)
AU (311)
AW (938)
AX (516)
AZ (53)
BA (448)
BB (936)
BD (91)
BE (12)
BF (750)
BG (723)
BH (650)
BI (675)
BJ (443)
BL (428)
BM (400)
BN (58)
BO (82)
BQ (100)
BR (204)
BS (609)
BT (378)
BV (687)
BW (586)
BY (578)
BZ (860)
CA (334)
CC (67)
CD (550)
CF (291)
CG (699)
CH (704)
CI (878)
CK (433)
CL (631)
CM (587)
CN (530)
CO (422)
CR (10)
CU (656)
CV (306)
CW (221)
CX (635)
CY (459)
CZ (491)
DE (130)
DJ (331)
DK (188)
DM (147)
DO (331)
DZ (884)
EC (778)
EE (170)
EG (781)
EH (564)
ER (934)
ES (476)
ET (11)
FI (902)
FJ (264)
FK (275)
FM (71)
FO (46)
FR (412)
GA (536)
GB (972)
GD (246)
GE (166)
GF (734)
GG (843)
GH (335)
GI (513)
GL (771)
GM (93)
GN (384)
GP (69)
GQ (378)
GR (68)
GS (138)
GT (432)
GU (191)
GW (351)
GY (365)
HK (750)
HM (868)
HN (623)
HR (382)
HT (306)
HU (145)
ID (912)
IE (960)
IL (253)
IM (544)
IN (875)
IO (523)
IQ (313)
IR (245)
IS (637)
IT (71)
JE (193)
JM (475)
JO (617)
JP (618)
KE (876)
KG (916)
KH (116)
KI (905)
KM (611)
KN (805)
KP (54)
KR (172)
KW (283)
KY (353)
KZ (480)
LA (707)
LB (423)
LC (49)
LI (809)
LK (179)
LR (478)
LS (286)
LT (468)
LU (57)
LV (584)
LY (471)
MA (946)
MC (351)
MD (925)
ME (691)
MF (87)
MG (687)
MH (49)
MK (21)
ML (97)
MM (756)
MN (843)
MO (243)
MP (605)
MQ (184)
MR (380)
MS (905)
MT (981)
MU (128)
MV (870)
MW (20)
MX (595)
MY (944)
MZ (868)
NA (620)
NC (67)
NE (626)
NF (673)
NG (3)
NI (454)
NL (211)
NO (732)
NP (168)
NR (466)
NU (762)
NZ (345)
OM (332)
PA (244)
PE (159)
PF (575)
PG (637)
PH (840)
PK (561)
PL (51)
PM (910)
PN (450)
PR (958)
PS (994)
PT (520)
PW (24)
PY (602)
QA (715)
RE (372)
RO (337)
RS (628)
RU (88)
RW (760)
SA (101)
SB (877)
SC (573)
SD (211)
SE (327)
SG (651)
SH (32)
SI (466)
SJ (441)
SK (992)
SL (341)
SM (837)
SN (16)
SO (460)
SR (409)
SS (233)
ST (636)
SV (997)
SX (689)
SY (709)
SZ (398)
TC (228)
TD (335)
TF (107)
TG (642)
TH (674)
TJ (890)
TK (661)
TL (741)
TM (541)
TN (165)
TO (843)
TR (437)
TT (817)
TV (932)
TW (582)
TZ (831)
UA (44)
UG (645)
UM (101)
US (620)
UY (127)
UZ (171)
VA (898)
VC (750)
VE (549)
VG (721)
VI (759)
VN (658)
VU (899)
WF (309)
WS (812)
XK (148)
YE (463)
YT (654)
ZA (839)
ZM (341)
ZW (141)