The insidious software exfiltrates all email and attachments, researchers warn, putting sensitive documents at risk
Image: Getty via Dennis
A malicious browser extension linked to North Korea works undetected to steal data from Gmail and AOL sessions.
The extension, dubbed “Sharpext” by researchers, monitors web pages to automatically parse all emails and attachments from victims’ mailboxes.
It poses a particularly serious threat to machines used by organizations for business operations because any sensitive information sent via email has the potential to be stolen. So far, targets have been identified in the US, EU and South Korea.
Cybersecurity firm Volexity revealed the spyware’s existence in a… blog post, and linked it to a threat actor followed by Volexity that operates under the name SharpTongue but is publicly known as Kimsuky. This entity is believed to be of North Korean origin, and the investigators have linked SharpTongue to attacks on targets related to national security.
ArsTechnica reports that Steven Adair, president of Volexity, states that Sharpext was installed through “spear phishing and social engineering where the victim is fooled into opening a malicious document”. Phishing is a common vector used to deliver malicious programs, such as LockBit 2.0, which is distributed via email disguised as PDFs.
To lay the foundation for the extension, the threat actor manually exfiltrates files such as user preferences and secure preferences. These have been modified to include exceptions for the malicious extension and then downloaded back to the infected machine via the malware’s command and control (C2) infrastructure.
Once the original files for these copies are switched, Sharpext is loaded directly from the victim’s appdata folder. Once active, the extension executes code directly from the C2 server, which has the advantage that antivirus software does not discover malicious code within the extension itself.
In addition, executing code in this way allows the threat actor to regularly update the code without having to reinstall newer versions of the extension on infected systems. Indeed, the extension is currently in its third iteration, with previous versions being more limited in their browser and email client compatibility.
At the moment, Sharpext supports Google Chrome and Microsoft Edge, as well as a browser called Whale which is quite popular in South Korea, but not in other countries.
The extension is only activated when a Chromium browser is running and uses listeners to monitor activity to ensure that only email data is stolen. Global variables track the emails, email addresses, and attachments that have already been exfiltrated to avoid unnecessary duplication of data.
In addition to the exfiltration functions, the extension implements a Powershell script that constantly checks for compatible browser processes, and if found runs a keystroke script that opens the DevTools panel.
At the same time, another script works to hide the DevTools window, and anything that might make the victim suspicious, such as Edge’s warning that an extension is running in developer mode.
Volexity has advised security teams within organizations to regularly review extensions, especially those installed on machines connected to highly sensitive information.
© Dennis Publishing