North Korean hackers use malicious browser extension to spy on email accounts
A malicious actor operating with interests aligned with North Korea has deployed a malicious extension to Chromium-based web browsers capable of stealing email content from Gmail and AOL.
Cybersecurity firm Volexity attributed the malware to a cluster of activities it calls Viper’s tonguewhich is said to share overlaps with a contradictory collective publicly referred to as Kimsuky.
SharpTongue has a habit of singling out individuals working for organizations in the United States, Europe, and South Korea who “work on matters involving North Korea, nuclear issues, weapons systems, and other issues of strategic interest to North Korea”, researchers Paul Rascagneres and Thomas Lancastre said.
KimsukyThe use of rogue extensions in attacks is nothing new. In 2018, the actor was seen using a Chrome plugin as part of a campaign called stolen pencil to infect victims and steal browser cookies and passwords.
But the latest spying effort is different in that it uses the extension, named Sharpext, to plunder email data. “The malware directly inspects and exfiltrates data from a victim’s webmail account when browsing it,” the researchers noted.
Browsers targeted include Google Chrome, Microsoft Edge and Naver’s Whale browsers, with the mail-stealing malware designed to collect information from Gmail and AOL sessions.
Installation of the add-on is carried out by replacing the browser Preferences and Secure Preferences files with those received from a remote server following a successful breach of a target Windows system.
This step is achieved by activating the DevTools panel in the active tab to steal emails and attachments from a user’s mailbox, while simultaneously taking action to hide everything warning messages about running extensions in developer mode.
Volexity called the campaign “quite successful”, citing the attacker’s ability to “steal thousands of emails from multiple victims through the deployment of the malware”.
“This is the first time Volexity has observed malicious browser extensions being used as part of the post-exploit phase of a compromise,” the researchers said. “By stealing email data in the context of a user’s already logged-in session, the attack is hidden from the email provider, making detection very difficult.”
The findings come several months after actor Kimsuky was connected to intrusions against political institutions located in Russia and South Korea to deliver an updated version of a remote access trojan known as Konni’s name.
Then last week, cybersecurity firm Securonix exposed a series of ongoing attacks exploiting high-value targets, including the Czech Republic, Poland and other countries, in a campaign dubbed STIFF#BIZON. to distribute the Konni malware.
While the tactics and tools used in the intrusions point to a North Korean hacking group called APT37, the evidence gathered regarding the attack infrastructure suggests the involvement of the Russian-aligned actor APT28 (aka Fancy Bear or Sofacy).
“Ultimately what makes this particular case interesting is the use of the Konni malware in conjunction with commercial similarities to APT28,” the researchers said. saidadding that it could be one group impersonating another in order to confuse attribution and evade detection.
Update: Following the story’s publication, Google told The Hacker News that the extension used in the attacks was not available on its official Chrome Web Store and that the infection requires the adversary to have already penetrated the systems. targets by other means.
“The extension in question is not in the Chrome Store, and this report does not identify an exploit in Gmail,” the tech giant said. “This evokes a scenario where a system must already be compromised – through spear phishing or social engineering – for the malicious extension to be deployed.”
Enabling anti-malware services and using secure operating systems like ChromeOS are best practices to prevent this and other similar types of attacks,” he added.