A threat group believed to be from North Korea is deploying malicious browser extensions for Chrome and Edge. The aim is to steal email content from open Gmail and AOL sessions and replace browser preference files.

The attack by Kimsuky

Researchers from Volexity identified the malicious extension, named SHARPEXT, that has been in use for nearly a year by Kimsuky (aka SharpTongue). It is using the extension as a post-exploitation tool for maintaining persistence.
  • In contrast with other malicious browser extensions, SHARPEXT is not created to steal credentials. Instead, the extension steals data from victims’ email inboxes.
  • The attackers install the extension manually using a VBS script after the initial compromise of the targeted system. 

Complex browser installation process

For installing SHARPEXT, the attackers are replacing the Preferences and Secure Preferences files for the targeted Chromium-based browser, which is usually perceived to be a difficult process to perform.
  • To replace the Secure Preferences file, the attackers collect certain details from the browser and generate a new file that runs browser start-up. 
  • Subsequently, the attackers use a second script to mask or hide some of the extension’s actions and any other windows that may appear, and warn the victims about the unusual activity. 
  • Consequently, the extension runs a pair of listeners looking for certain types of activity in browser tabs. Installation is customized for every individual victim.

More about SHARPEXT 

The main goal of this extension is to steal emails and attachments from a user's mailbox.
  • The first discovered versions of the malicious extension only supported Gmail accounts, while the latest version supports Gmail and AOL. 
  • The extension causes web requests to download additional emails from the web page. 
  • Researchers believe that the SHARPEXT extension is still under active development.

Bottom line

The use of malicious browser extensions by North Korean attackers is nothing new. However, for the first time, malicious browser extensions have been observed being used as part of the post-exploitation stage of an attack. This indicates that the group members are actively trying to upgrade their tools and tactics, which makes them a worrisome threat.
Cyware Publisher