Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

N Korean APT Uses Browser Extension to Steal Emails From Foreign Policy, Nuclear Targets

Over the past year, North Korean advanced persistent threat (APT) actor Kimsuky has been observed using a browser extension to steal content from victims’ webmail accounts, threat intelligence and incident response company Volexity reports.

Over the past year, North Korean advanced persistent threat (APT) actor Kimsuky has been observed using a browser extension to steal content from victims’ webmail accounts, threat intelligence and incident response company Volexity reports.

Active since at least 2012 and also tracked as Black Banshee, Thallium, SharpTongue, and Velvet Chollima, Kimsuky is known for the targeting of entities in South Korea, but also some located in Europe and the United States.

For over a year, Volexity has been seeing the adversary using a malicious browser extension for Google Chrome, Microsoft Edge, and Naver Whale – a Chrome-based browser used in South Korea – to steal data directly from the victims’ email account.

Dubbed Sharpext, the extension supports the theft of data from both Gmail and AOL webmail, is actively developed, and has been used in targeted attacks on various individuals, including ones in the foreign policy and nuclear sectors, Volexity says.

According to Volexity, “the attacker was able to successfully steal thousands of emails from multiple victims through the malware’s deployment.”

The extension is deployed manually on previously compromised systems, and requires for the attacker to replace the browser’s legitimate preferences files with modified ones.

“Deployment of Sharpext is highly customized, as the attacker must first gain access to the victim’s original browser Security Preferences file. This file is then modified and used to deploy the malicious extension. Volexity has observed SharpTongue deploying Sharpext against targets for well over a year; and, in each case, a dedicated folder for the infected user is created containing the required files for the extension,” Volexity notes.

A PowerShell script is used to kill the browser process to enable the exfiltration of the required files. After the extension has been deployed, another PowerShell enables DevTools to inspect the contents of the tab the user is accessing, and to exfiltrate data of interest.

Advertisement. Scroll to continue reading.

Because the extension itself does not include obviously malicious code, it is likely to evade detection by antimalware solutions, Volexity notes. The extension also allows the attackers to dynamically update its code without having to re-install it on the infected machine.

Sharpext maintains lists of email addresses to ignore, previously stolen emails and attachments, and monitored tabs, to avoid exfiltrating the same data multiple times. It also monitors domains that the victim visits.

“By stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging. Similarly, the way in which the extension works means suspicious activity would not be logged in a user’s email ‘account activity’ status page, were they to review it,” Volexity notes.

Related: US Offers $10 Million for Information on North Korean Hackers

Related: U.S. Shares Information on North Korean Threat Actor ‘Kimsuky’

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.