SharpTongue rolls out ‘SHARPEXT’ smart mail-stealing browser extension
Volexity tracks a variety of threat actors to deliver unique insights and actionable insights to its Threat Intelligence clients. One of these frequently encountered, which often results in forensic investigations into compromised systems, is tracked by Volexity as Viper’s tongue. This actor is believed to be of North Korean descent and is often publicly referred to as Kimsuky. The definition of threat activity that includes Kimsuky is a matter of debate among threat intelligence analysts. Some posts refer to North Korean threat activity as Kimsuky which Volexity tracks under other group names and does not refer to SharpTongue. Volexity frequently observes that SharpTongue targets and victimizes people working for organizations in the United States, Europe, and South Korea who work on matters involving North Korea, nuclear issues, weapons systems, and others. matters of strategic interest to North Korea.
The SharpTongue toolset is well documented in public sources; the last English language article covering this set of tools was published by Huntress in 2021. The list of tools and techniques described in this article is what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting and undocumented malware family used by SharpTongue. Over the past year, Volexity has responded to several incidents involving SharpTongue and, in most cases, discovered a malicious Google Chrome or Microsoft Edge extension that Volexity calls “SHARPEXT”.
Learn more about Volexity