S1201 TRANSLATEXT
TRANSLATEXT is malware that is believed to be used by Kimsuky.1 TRANSLATEXT masqueraded as a Google Translate extension for Google Chrome, but is actually a collection of four malicious Javascript files that perform defense evasion, information collection and exfiltration.1
| Item | Value |
|---|---|
| ID | S1201 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 January 2025 |
| Last Modified | 05 February 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | TRANSLATEXT has used HTTP to communicate with the C2 server.1 |
| enterprise | T1185 | Browser Session Hijacking | TRANSLATEXT has the ability to use form-grabbing and event-listening to extract data from web data forms.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | TRANSLATEXT has used PowerShell to collect system information and to upload the collected data to a Github repository.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | TRANSLATEXT has stolen credentials stored in Chrome.1 |
| enterprise | T1114 | Email Collection | TRANSLATEXT has exfiltrated collected email addresses to the C2 server.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | TRANSLATEXT has exfiltrated collected credentials to the C2 server.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | TRANSLATEXT has been named GoogleTranslate.crx to masquerade as a legitimate Chrome extension.1 |
| enterprise | T1112 | Modify Registry | TRANSLATEXT has modified the following registry key to install itself as the value, granting permission to install specified extensions: HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist.1 |
| enterprise | T1012 | Query Registry | TRANSLATEXT has queried the following registry key to check for installed Chrome extensions: HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist.1 |
| enterprise | T1113 | Screen Capture | TRANSLATEXT has the ability to capture screenshots of new browser tabs, based on the presence of the Capture flag.1 |
| enterprise | T1176 | Software Extensions | - |
| enterprise | T1176.001 | Browser Extensions | TRANSLATEXT has the ability to capture credentials, cookies, browser screenshots, etc. and to exfiltrate data.1 |
| enterprise | T1539 | Steal Web Session Cookie | TRANSLATEXT has exfiltrated updated cookies from Google, Naver, Kakao or Daum to the C2 server.1 |
| enterprise | T1205 | Traffic Signaling | TRANSLATEXT has redirected clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | TRANSLATEXT has used a dead drop resolver to retrieve configurations and commands from a public blog site.1 |
| enterprise | T1102.002 | Bidirectional Communication | TRANSLATEXT has used a Github repository for C2.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0094 | Kimsuky | 1 |