North Korean attackers use malicious browser extension to steal emails
A notorious attack group based in North Korea has deployed a malicious browser extension for Chrome and Edge that can steal email content from open Gmail sessions and overwrite victim’s browser preference files.
The extension has been in use for almost a year, and the group deploying it, primarily known as Kimsuky, uses it as a post-exploitation tool to maintain persistence on the victim’s machine. Researchers from Volexity identified the extension, which they call SHARPEXT, during certain incident response engagements. Unlike many other malicious browser extensions, SHARPEXT does not exist to steal credentials, but is designed specifically to steal data from victims’ inboxes. Attackers manually install the extension with a VBS script after the initial machine compromise.
In order to install the extension, the attackers go to the trouble of replacing the Preferences and Secure Preferences files for the target Chromium-based browser, which is not an easy process.
“The secure preferences file contains a known state of the user’s profile information. When starting Chromium-based browsers, if the preferences files do not match the configuration loaded, the current configuration will be replaced with the contents of the secure preferences file. The Chromium engine has a built-in mechanism that requires the Secure Preferences file to contain a valid “super_mac” value to prevent manual editing of this file,” Volexity researchers Paul Rascagneres and Thomas Lancaster said in an explanation of the attack. .
To accomplish the task of replacing the Secure Preferences file, attackers collect specific information from the browser and then generate a new file, which then runs when the browser starts. The attackers, which Volexity calls SharpTongue, then use a second script to hide some of the extension’s actions and any windows that might appear to warn victims of anomalous activity. The extension then runs a pair of listeners that look for specific types of activity in browser tabs.
“Early versions of the malicious extension encountered by Volexity only supported Gmail accounts. The latest version supports both Gmail and AOL email accounts. The purpose of response scanning is to steal emails and attachments from a user’s mailbox. The extension can generate web requests to download additional emails from the web page,” the researchers said. Kimsuky/SharpTongue is a well-known and highly active North Korea-aligned threat group that is primarily associated with cyber espionage attacks and IP theft operations. The group uses a number of custom tools and malware, including Babyshark. The SHARPEXT extension is under development, and Volexity researchers have stated that its installation is customized for each victim.
“The use of malicious browser extensions by North Korean threat actors is not new; this tactic has typically been used to infect users as part of the delivery phase of an attack. However, this is the first time that Volexity has observed malicious browser extensions being used as part of the post-exploitation phase of a compromise,” the researchers said.
“By stealing email data in the context of a user’s already logged-in session, the attack is hidden from the email provider, making detection very difficult. Likewise, the way the extension works means that suspicious activity wouldn’t be logged in the “account activity” status page of a user’s email, if they looked at it.
SHARPEXT was installed on Chrome, Edge, and Whale Browser, which is a South Korean app.