{"description": "Enterprise techniques used by TRANSLATEXT, ATT&CK software S1201 (v1.0)", "name": "TRANSLATEXT (S1201)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has used HTTP to communicate with the C2 server.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has the ability to use form-grabbing and event-listening to extract data from web data forms.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has used PowerShell to collect system information and to upload the collected data to a Github repository.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has stolen credentials stored in Chrome.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1114", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has exfiltrated collected email addresses to the C2 server.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has exfiltrated collected credentials to the C2 server.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has been named `GoogleTranslate.crx` to masquerade as a legitimate Chrome extension.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has modified the following registry key to install itself as the value, granting permission to install specified extensions: ` HKCU\\Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist`.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has queried the following registry key to check for installed Chrome extensions: ` HKCU\\Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist\u202f`.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has the ability to capture screenshots of new browser tabs, based on the presence of the `Capture` flag.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1176", "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has the ability to capture credentials, cookies, browser screenshots, etc. and to exfiltrate data.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has exfiltrated updated cookies from Google, Naver, Kakao or Daum to the C2 server.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has redirected clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has used a dead drop resolver to retrieve configurations and commands from a public blog site.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[TRANSLATEXT](https://attack.mitre.org/software/S1201) has used a Github repository for C2.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TRANSLATEXT", "color": "#66b1ff"}]}