North Korean hackers use malicious browser extension to spy on email accounts


A threat actor with interests aligned with North Korea has deployed a malicious extension on Chromium-based web browsers capable of stealing email content from Gmail and AOL.

Cybersecurity firm Volexity attributed the malware to a cluster of activities it calls SharpTongue, which is said to share overlaps with a hostile collective publicly referred to as Kimsuky.

SharpTongue has a history of selecting individuals to work for organizations in the US, Europe, and South Korea that “work on topics related to North Korea, nuclear issues, weapons systems, and other matters of strategic importance to North Korea.” researchers Paul Rascagneres and Thomas Lancaster said.

Kimsuky‘s use of rogue extensions in attacks is not new. In 2018, the actor was seen using a Chrome plugin as part of a campaign called Stolen pencil to infect victims and steal browser cookies and passwords.

But the latest spying effort is different because it uses the Sharpext extension to loot email data. “The malware inspects and exfiltrates data directly from a victim’s webmail account as they browse through it,” the researchers noted.

Targeted browsers include Google Chrome, Microsoft Edge, and Naver’s Whale browsers, with the email theft malware designed to collect information from Gmail and AOL sessions.

Installation of the add-on is accomplished by replacing the browser’s Preferences and secure preferences files containing the files received from a remote server after a successful breach on a target Windows system.

This step is followed by enabling the DevTools panel within the active tab to steal email and attachments from a user’s mailbox, while simultaneously taking steps to hide them warning messages on running developer mode extensions.

Volexity characterized the campaign as “fairly successful”, citing the attacker’s ability to “steal thousands of emails from multiple victims through the malware’s implementation”.

“This is the first time Volexity has observed malicious browser extensions being used as part of the post-exploit phase of a compromise,” the researchers said. “Stealing email data in the context of a user’s already logged-in session hides the attack from the email provider, making detection very challenging.”

The findings come just months after the Kimsuky actor was linked with break-ins against political institutions in Russia and South Korea to deliver an updated version of a remote access trojan known as Konni.

Last week, cybersecurity firm Securonix completed an ongoing attack campaign that exploited high-value targets including the Czech Republic, Poland and other countries as part of a campaign codenamed STIFF#BIZON to distribute the Konni malware.

While the tactics and tools used in the break-ins point to a North Korean hacking group called APT37, the evidence gathered regarding the attack infrastructure suggests the involvement of the Russian-affiliated APT28 actor (aka Fancy Bear or Sofacy). .

Ultimately, what makes this particular case interesting is the use of Konni malware in conjunction with trade agreements with APT28,” the researchers said. saidadding that it could be a case of one group masquerading as another to confuse attribution and escape detection.