Over the past year, North Korean advanced persistent threat (APT) actor Kimsuky has been observed using a browser extension to steal content from victims’ webmail accounts, threat intelligence and incident response company Volexity reports.
Active since at least 2012 and also tracked as Black Banshee, Thallium, SharpTongue, and Velvet Chollima, Kimsuky is known for the targeting of entities in South Korea, but also some located in Europe and the United States.
For over a year, Volexity has been seeing the adversary using a malicious browser extension for Google Chrome, Microsoft Edge, and Naver Whale – a Chrome-based browser used in South Korea – to steal data directly from the victims’ email account.
Dubbed Sharpext, the extension supports the theft of data from both Gmail and AOL webmail, is actively developed, and has been used in targeted attacks on various individuals, including ones in the foreign policy and nuclear sectors, Volexity says.
According to Volexity, “the attacker was able to successfully steal thousands of emails from multiple victims through the malware’s deployment.”
The extension is deployed manually on previously compromised systems, and requires for the attacker to replace the browser’s legitimate preferences files with modified ones.
“Deployment of Sharpext is highly customized, as the attacker must first gain access to the victim’s original browser Security Preferences file. This file is then modified and used to deploy the malicious extension. Volexity has observed SharpTongue deploying Sharpext against targets for well over a year; and, in each case, a dedicated folder for the infected user is created containing the required files for the extension,” Volexity notes.
A PowerShell script is used to kill the browser process to enable the exfiltration of the required files. After the extension has been deployed, another PowerShell enables DevTools to inspect the contents of the tab the user is accessing, and to exfiltrate data of interest.
Because the extension itself does not include obviously malicious code, it is likely to evade detection by antimalware solutions, Volexity notes. The extension also allows the attackers to dynamically update its code without having to re-install it on the infected machine.
Sharpext maintains lists of email addresses to ignore, previously stolen emails and attachments, and monitored tabs, to avoid exfiltrating the same data multiple times. It also monitors domains that the victim visits.
“By stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging. Similarly, the way in which the extension works means suspicious activity would not be logged in a user’s email ‘account activity’ status page, were they to review it,” Volexity notes.