A malicious browser extension linked to North Korea worked undetected to steal data from Gmail and AOL sessions.
The extension, dubbed “SHARPEXT” by researchers, monitors web pages to automatically scan all emails and attachments from victims’ mailboxes.
It poses a particularly serious threat to machines used by organizations for business operations, as any sensitive information sent via email can be stolen. Targets have so far been identified in the US, EU and South Korea.
Cybersecurity company Volexity revealed the existence of the spyware in a blog post, and linked him to a threat actor tracked by Volexity operating as SharpTongue, but publicly known as Kimsuky. This entity is believed to be of North Korean origin and researchers have linked SharpTongue to attacks on national security targets.
Ars-Technica reports Volexity President Steven Adair, stating that SHARPEXT is installed through “phishing and social engineering where the victim is tricked into opening a malicious document”. Phishing is a common vector used to spread malware, such as LockBit 2.0 which was distributed via email disguised as a PDF.
To lay the foundation for the extension, the threat author manually exfiltrates files such as user preferences and security preferences. These are modified to include exceptions for the malicious extension and then downloaded to the infected machine via the malware’s command and control (C2) infrastructure.
Once the original files have been replaced by these copies, SHARPEXT is loaded directly from the victim’s appdata folder. Once active, the extension runs code directly from the C2 server, which has the benefit of preventing antivirus software from discovering malicious code within the extension itself.
Additionally, executing the code in this way allows the threat actor to regularly update the code without having to reinstall new versions of the extension on infected systems. Indeed, the extension is currently in its third iteration, with previous versions being more limited in their browser and email client compatibility.
Currently, SHARPEXT supports Google Chrome and Microsoft Edge, as well as a browser called Whale which is reasonably popular in South Korea but not in other countries.
The extension only activates when a Chromium browser is running and uses listeners to monitor activity to ensure that only email data is stolen. Global variables track emails, email addresses, and attachments that have already been exfiltrated, to avoid unnecessary duplication of data.
In addition to its exfiltration functions, the extension deploys a Powershell script that continuously checks for compatible browser processes and, if found, runs a keystroke script that opens the DevTools panel.
Simultaneously, another script works to hide the DevTools window and anything else that might make the victim suspicious, like Edge’s warning that an extension is running in developer mode.
Volexity advised security teams within organizations to regularly review extensions, especially those installed on machines connected to highly sensitive information.
IT professional approached Volexity for comment
The COO’s Pocket Guide to Enterprise-Scale Intelligent Automation
Automate more cross-company and expert work for better value flow for customers
Introducing IBM Security QRadar XDR
A complete open solution in a cluttered and confusing space
2021 Gartner Critical Capabilities for Data Integration Tools
How to identify the right tool to support your data management solutions
Unified Endpoint Management Solutions 2021-22
Analyze the EMU landscape