Researchers from security firm Volexity have found a novel malware called SHARPEXT that North Korean hacker group SharpTongue uses to read and download emails and attachments from victims’ Gmail and AOL accounts.
Volexity reports that the malware has been active for over a year and is targeting US, Europe and South Korean organisations working on nuclear weapons or other things that might be in the interest of North Korea.
The group behind the malware, SharpTongue, is backed by the North Korean government and shares an overlap with another group tracked as Kimsuky by the researchers.
In the News: Devs suspect Slope wallet is the reason behind Solana exploit
Browser extension doing the deed
Either spear phishing or social engineering does an initial compromise to deliver the malware to the target to get the target to open a malicious document, which in turn installs the malware.
The malware installs itself as a browser extension and is undetected by the aforementioned services. Currently, the malware only works on Windows but can just as easily be extended to support macOS and Linux browsers. Since most web browsers are usually already authenticated regarding credentials or MFA (Multifactor authentication), the extension gets unfettered access to the target’s emails.
Installing a browser extension while phishing a target isn’t easy. Chromium-based browsers have security measures that can prevent malware or a rogue extension from making changes to sensitive user settings.
That said, the attackers extract the HMAC seed used by the browser, the user’s S-ID value and the original preferences and security files from the user’s system. SHARPEXT modifies the preference files and then automatically loads the extension while running a PowerShell script enabling DevTools on the browser.
DevTools allows the browser to run customised code and settings and is usually used by web developers to test in-browser functionality.
The malware then scans all processes associated with the infected browser and looks for tabs with a specific keyword. Once a tab is targeted the malware can make the following requests to get a specific result.
|HTTP Post Data||Description|
|mode=list||Lists previously collected emails to avoid collected redundant data. List updates every time the extension executes.|
|mode=domain||Lists previously contacted email domains.|
|mode=black||Collects a block list of email addresses to be ignored when fetching victims’ emails.|
|mode=newD&d=[data]||Adds a domain to the list of domains viewed by the victim.|
|mode=attach&name=[data]&idx=[data]&body=[data]||Uploads an attachment to the remote (attacker’s) server.|
|mode=new&mid=[data]&mbody=[data]||Uploads Gmail data to the remote (attacker’s) server.|
|mode=new_aol&mid=[data]&mbody=[data]||Uploads AOL data to the remote (attacker’s) server.|
|mode=attlist||Receives a list of attachments to transfer to the remote (attacker’s) server.|
Was found to be inactive.
The scrip also hides any windows that could alert the victim. One example is Microsoft Edge, which periodically warns the user if an extension is running in developer mode. The script keeps checking for the window to appear and hides it before the user can be alerted.
Volexity has also provided images, file names and other indicators that can be used to determine if a browser has been infected or not. To prevent these attacks, Volexity recommends the following:
- Use these YARA rules to detect activity.
- Blocks these IOCs.
In addition to that the company has also warned that it’s becoming an increasingly large threat that won’t likely go away anytime soon.
In the News: Samsung introduces self-repair program for Galaxy S20, S21 and Tab S7+ in US