A cyber spy gang supported by North Korea is employing a malevolent browser extension in its campaign to steal emails. Currently tracked as Kimsuky by analysts, the gang is targeting users of Google Chrome and Microsoft Edge.

The malevolent extension was uncovered by cybersecurity researchers at Volexity. Christened SHARPEXT by the analysts, the extension supports three different Chromium-based web browsers – Whale, Chrome and Edge – and is capable of stealing mail from AOL and Gmail accounts.

An insidious campaign uncovered

Volexity’s researchers spotted the campaign back in September of last year and have continued to track the cyber spy gang’s activities. The team recently commented on its findings and described the Kimsuky’s modus operandi.

The threat actors can install the malevolent extension, but they must first compromise the victim’s system utilising a custom VBS script. They replace the ‘Secure Preferences’ and ‘Preferences’ files with those downloaded from the dedicated command-and-control server of the malware.

As soon as these new files are downloaded onto a device, the browser will automatically load the insidious SHARPEXT extension.

Volexity commented on how the malicious extension is advancing:

“The malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it. Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system.”

Volexity also revealed that this campaign its team uncovered lines up with previous attacks executed by Kimsuky, as it also unleased the SHARPEXT extension in targeted attacks in Europe, South Korea and the US on individuals of interest involved with foreign policy and nuclear power.

Effective and stealthy attacks

The campaign attacks use stealth. They use the fact that a victim is already logged into an emails session to steal their mail. As a result of this window of opportunity, the attack can remain entirely unnoticed by the target’s email provider, making detection challenging and, in some instances, impossible.

The workflow of the malicious extension does not trigger suspect activity alerts within the target’s accounts, which also means that the cybercriminal activity won’t be disclosed by checking the status page of a webmail account for alerts.

The cybercriminals can employ SHARPEXT to obtain a vast range of data using various commands. They can list emails collected previously from a victim to avoid uploading duplicate content, and this list is constantly updated while SHARPEXT executes.
They can add a domain to domain lists viewed by the user and upload new attachments to their remote server. They can also upload both Gmail and AOL data to their remote server.

The recent campaign isn’t the first recorded instance of Advanced Persistence Threat (APT) group from North Korea using browser extensions to collect and steal confidential information from the breached systems of victims. In 2018, the ASERT Team at Netscout discovered a spear phishing strategy designed by Kimsuky that pushed a malevolent Chrome extension to attack multiple academic entities at numerous universities.