Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

N Korean APT Uses Browser Extension to Steal Emails From Foreign Policy, Nuclear Targets

Over the past year, North Korean advanced persistent threat (APT) actor Kimsuky has been observed using a browser extension to steal content from victims’ webmail accounts, threat intelligence and incident response company Volexity reports.

Over the past year, North Korean advanced persistent threat (APT) actor Kimsuky has been observed using a browser extension to steal content from victims’ webmail accounts, threat intelligence and incident response company Volexity reports.

Active since at least 2012 and also tracked as Black Banshee, Thallium, SharpTongue, and Velvet Chollima, Kimsuky is known for the targeting of entities in South Korea, but also some located in Europe and the United States.

For over a year, Volexity has been seeing the adversary using a malicious browser extension for Google Chrome, Microsoft Edge, and Naver Whale – a Chrome-based browser used in South Korea – to steal data directly from the victims’ email account.

Dubbed Sharpext, the extension supports the theft of data from both Gmail and AOL webmail, is actively developed, and has been used in targeted attacks on various individuals, including ones in the foreign policy and nuclear sectors, Volexity says.

According to Volexity, “the attacker was able to successfully steal thousands of emails from multiple victims through the malware’s deployment.”

The extension is deployed manually on previously compromised systems, and requires for the attacker to replace the browser’s legitimate preferences files with modified ones.

“Deployment of Sharpext is highly customized, as the attacker must first gain access to the victim’s original browser Security Preferences file. This file is then modified and used to deploy the malicious extension. Volexity has observed SharpTongue deploying Sharpext against targets for well over a year; and, in each case, a dedicated folder for the infected user is created containing the required files for the extension,” Volexity notes.

A PowerShell script is used to kill the browser process to enable the exfiltration of the required files. After the extension has been deployed, another PowerShell enables DevTools to inspect the contents of the tab the user is accessing, and to exfiltrate data of interest.

Advertisement. Scroll to continue reading.

Because the extension itself does not include obviously malicious code, it is likely to evade detection by antimalware solutions, Volexity notes. The extension also allows the attackers to dynamically update its code without having to re-install it on the infected machine.

Sharpext maintains lists of email addresses to ignore, previously stolen emails and attachments, and monitored tabs, to avoid exfiltrating the same data multiple times. It also monitors domains that the victim visits.

“By stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging. Similarly, the way in which the extension works means suspicious activity would not be logged in a user’s email ‘account activity’ status page, were they to review it,” Volexity notes.

Related: US Offers $10 Million for Information on North Korean Hackers

Related: U.S. Shares Information on North Korean Threat Actor ‘Kimsuky’

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem