North Korean hackers use browser extension to spy on Gmail and AOL accounts


Cybersecurity firm Volexity has spotted new threat actor (TA) activity allegedly associated with North Korea and deploying malicious extensions to Chromium-based web browsers.

A recent notice from security researchers dubbed this new TA SharpTongue, although it is publicly referred to as Kimsuky.

Volexity said it frequently observed SharpTongue targeting people working for organizations in the United States, Europe and South Korea.

In particular, the TA would victimize individuals and companies that work on matters involving North Korea, nuclear issues, weapons systems, and other issues of strategic interest to North Korea.

The new advisory also clarifies that while SharpTongue’s toolset is well documented in public sources, in September 2021, Volexity began observing an undocumented malware family used by SharpTongue dubbed “SHARPEXT”.

“SHARPEXT differs from previously documented extensions used by the ‘Kimsuky’ actor, in that it does not attempt to steal usernames and passwords,” the advisory explains.

“Instead, the malware directly inspects and exfiltrates data from a victim’s webmail account when browsing it.”

Since its discovery, Volexity claims that the extension has evolved and is currently at version 3.0, based on the internal versioning system.

In fact, early versions of SHARPEXT studied by Volexity only supported Google Chrome, while the latest version supports Chrome, Edge, and Whale (a Chromium-based browser used almost exclusively in South Korea).

As for the deployment tactics, the attackers first manually exfiltrate the files needed to install the extension from the infected workstation. SHARPEXT is then installed manually by a VBS script written by an attacker.

And while the use of malicious browser extensions by North Korean hackers is nothing new, this is the first time Volexity has observed malicious browser extensions being used as part of the post-exploitation phase of a compromise.

“By stealing email data in the context of a user’s already logged-in session, the attack is hidden from the email provider, making detection very difficult,” the security researchers explained.

To detect and investigate attacks, Volexity recommended enabling and analyzing PowerShell ScriptBlock logging results and periodically reviewing extensions installed on high-risk user machines.

Possible mitigation strategies include the use of YARA specific rules to detect related activity and block listed indicators of compromise (IoCs) here.

Responding to the report, a Google spokesperson commented, “The extension in question is not in the Chrome store, and this report does not identify an exploit in Gmail. This is a scenario where a system must already be compromised – through spear phishing or social engineering – for the malicious extension to be deployed. Enabling anti-malware services and using secure operating systems such as ChromeOS are best practices to prevent this and other similar types of attacks.”


Comments are closed.