Researchers have discovered an unprecedented malware that hackers from North Korea used to secretly read and download emails and attachments from infected users’ Gmail and AOL accounts.
Dubbed SHARPEXT by researchers at security firm Volexity, the malware uses clever tools to install browser extensions for Chrome and Edge browsers. blog post. The extension is undetectable by email services, and since the browser is already authenticated through any multi-factor authentication protection, this increasingly popular security measure plays no role in account compromise.
The malware has been in use for “over a year,” Volexity said, and is the work of a hacking group the company tracks as SharpTongue. The group is funded by the North Korean government and coincides with a Followed group like Kimsuky by other researchers. SHARPEXT targets organizations in the United States, Europe and South Korea that work on nuclear weapons and other issues North Korea deems important to its national security.
Steven Adair, president of Volexity, said in an email that the extension “is installed through spear phishing and social engineering, where the victim is tricked into opening a malicious file. In the past, we’ve seen DPRK threat actors launch spear phishing attacks. Get the victim to install the browser extension, rather, it is a post-exploitation mechanism for persistence and data theft.” In its current incarnation, the malware only works on Windows, but Adair said there’s no reason it couldn’t be extended to infect browsers running macOS or Linux.
The blog post added: “The visibility of Volexity itself indicates that the extension was quite successful, with logs obtained by Volexity showing that the attacker was able to successfully steal thousands of emails from multiple victims through the deployment of the malware.”
It is not easy to install a browser extension without the end user noticing during a phishing operation. The developers of SHARPEXT focused on studies such as those published publicly here, hereand here, which shows how a security mechanism in the Chromium browser engine prevents malware from modifying sensitive user settings. Every time a legitimate change is made, the browser receives a cryptographic hash of a piece of code. At the start, the browser checks the hashes, and if any of them do not match, the browser asks to restore the old settings.
In order for attackers to work around this protection, they must first remove the following from the compromised computer:
- A copy of the resources.pak file from the browser (which contains the HMAC seed used by Chrome)
- of the user S-ID value
- Original Preferences and Secure Preferences files from the user’s system
After modifying the preference files, SHARPEXT automatically loads the extension and executes a DevTools-enabled PowerShell script that allows the browser to run customized code and settings.
“The script runs in an infinite loop that checks the processes associated with the targeted browsers,” explained Volexity. “If any targeted browsers are detected running, the script checks the tab header for a specific keyword (e.g. “05101190” or “Tab+” depending on SHARPEXT version). The specific keyword is inserted into the header by the malicious actor. when the active tab changes or extension when the page loads.”
The post continued:
Perceptible keystrokes are equivalent to this
Control+Shift+J, a shortcut to enable the DevTools panel. Finally, hide the newly opened DevTools window using a PowerShell script ShowWindow() API and
SW_HIDEflag. At the end of this process, DevTools is activated in the active tab, but the window is hidden.
In addition, this script is used to hide any windows that might alert the victim. For example, Microsoft Edge periodically displays a warning message to the user if extensions are running in developer mode (Figure 5). The script constantly checks if this window is visible and hides it using
Once installed, the extension can perform the following requests:
|HTTP POST History||Description|
|mode=list||List the previously collected email from the victim to ensure that duplicates are not uploaded. This list is continuously updated as SHARPEXT runs.|
|mode=domain||List the email domains the victim has previously contacted. This list is continuously updated as SHARPEXT runs.|
|mode = black||Compile a blacklist of email senders that should not be considered when collecting email from a victim.|
|mode=newD&d=[data]||Add a domain to the list of all domains viewed by the victim.|
|mode=add&name=[data]&idx=[data]&body=[data]||Upload a new attachment to the remote server.|
|mode=new&mid=[data]&mbody=[data]||Upload Gmail data to a remote server.|
|mode = attlist||Comment of the aggressor; get a list of plugins to uninstall.|
|mode=new_aol&mid=[data]&mbody=[data]||Upload AOL data to a remote server.|
SHARPEXT allows hackers to create lists of email addresses and track emails or attachments that have already been stolen.
Volexity created an orchestration summary of the following SHARPEXT components it analyzed:
The blog post provides images, file names, and other indicators that trained people can use to identify whether they are targeted or infected by this malware. The company warned that the threat posed by it is increasing over time and will not go away anytime soon.
“When Volexity first encountered SHARPEXT, it appeared to be an early development tool that contained numerous bugs, indicating that the tool was immature,” the company said. “Recent updates and ongoing maintenance show that the attacker is achieving his goals and finds value in continuing to improve it.”