Researchers have discovered previously undiscovered malware that North Korean hackers have been employing to covertly read and steal messages and files from compromised users’ Gmail and AOL accounts.
Researchers from the security company Volexity have named the malware SHARPEXT. The virus employs cunning methods to install a browser extension for the Chrome and Edge browsers, Volexity revealed in a blog post. The email providers are unable to identify the extension, and as the browser has previously been authorized using any multifactor authentication protections in place, the account hack is unaffected by the increasingly popular security feature. None of the known third-party sources, including Microsoft’s add-ons page or Google’s Chrome Web Store, offer the extension.
The malware was created by the hacking collective known as SharpTongue, which the company follows, and has been in use for “well over a year,” according to Volexity. The organization has ties to a group that other researchers have identified as Kimsuky and is supported by the government of North Korea. Organizations that work on nuclear weapons and other problems North Korea considers crucial to its national security are the focus of SHARPEXT, which is targeting them in the US, Europe, and South Korea.
The extension is installed “by way of spear phishing and social engineering where the victim is fooled into opening a malicious document. In the past, we have seen DPRK threat actors launch spear phishing attacks where the entire objective was to get the victim to install a browser extension vs. it being a post exploitation mechanism for persistence and data theft,” Volexity President Steven Adair said in an email. At the moment, the malware only functions on Chrome browsers.
It can be challenging to sneakily install a browser extension during a phishing campaign. The study shown here, here, and here, which demonstrates how a security feature in the Chromium browser engine prevents malware from changing private user settings, has certainly been taken into consideration by SHARPEXT developers. The browser makes a cryptographic hash of some of the code each time a valid update is made. The browser checks the hashes upon startup, and if any of them don’t match, it asks to restore the previous settings.
Attackers must first take the following items off of the compromised machine in order to circumvent this security:
- a duplicate of the browser’s resources.pak file (which contains the HMAC seed used by Chrome)
- The S-ID value of the user
- the user’s system’s original Preferences and Secure Preferences files
SHARPEXT immediately installs the extension and runs a PowerShell script to enable DevTools, an option that lets the browser to run customized code and settings, after making changes to the preference files.
Hackers can make lists of email addresses to ignore and keep track of emails or attachments that have previously been taken by using SHARPEXT.
A trained person can utilize the graphics, file names, and other signs provided in the blog post to assess whether they have been chosen as a target or infected by this malware. The business issued a warning, saying that the harm it poses has gotten worse over time and isn’t going away any time soon.