In recent weeks, the group has used job-themed lures in attacks against the aerospace and defense sectors to drop an espionage tool with data gathering and secondary payload execution functionalities. They have also weaponized a known security flaw in Microsoft Office (CVE-2017-11882) to distribute a keylogger. The backdoor, which doesn't seem to have been previously made public, gives the attacker the ability to carry out espionage tasks and drop more payloads to take control of the device remotely.

Although the particular method of initial access linked to the recently uncovered activity is currently unknown, the APT is known to use social engineering and spear-phishing attempts to start the infection chain. The attack begins with a ZIP archive that appears to be about Korean military history and contains an executable and a Hangul Word Processor document. When the executable is run, a PowerShell script controlled by the attacker is retrieved from a server. This script then exports victim information to GitHub and uses a Windows shortcut (LNK) file to download more PowerShell code.

Experts reported that they discovered a GitHub account that was made on February 13, 2024, and that was momentarily hosting the TRANSLATEXT extension under the name "GoogleTranslate.crx". The method of delivery of this extension is currently unknown. These files were added to the repository on March 7, 2024, and removed the following day, suggesting that Kimsuky planned to limit exposure and utilize the malware to target particular people for a brief amount of time.

Transposing as Google Translate, TRANSLATEXT uses JavaScript code to bypass security for Google, Kakao, and Naver, as well as to steal cookies, email addresses, and login passwords. It also uses the code to take screenshots of browsers and exfiltrate stolen data. Among other things, it can be made to retrieve commands from a Blogger Blogspot URL and take screen grabs of recently opened tabs as well as remove all cookies from the browser. Surveillance of government and academic staff is one of the main goals of the Kimsuky group to obtain valuable information.

Impact

• Sensitive Data Theft
• Cyber Espionage
• Code Execution
• Data Exfiltration

Indicators of Compromise

URL

• http://sdfa.liveblog365.com/ares/hades.txt
• http://sdfa.liveblog365.com/ares/babyhades.txt
• http://ney.r-e.kr/mar/tys.txt
• http://ney.r-e.kr/mar/tys.php
• https://webman.w3school.cloudns.nz/
• https://onewithshare.blogspot.com/2023/04/10.html
• https://raw.githubusercontent.com/HelperDav/Web/main/update.xml

MD5

• bba3b15bad6b5a80ab9fa9a49b643658

SHA-256

• d78e83f97f400660ec157fbcfb5a98e2514ff6ca6a5a20edd651dcaada469b02

SHA-1

• bbeb37fcdc1e1f8e8e88d1666946c373501a6c20

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.