The extension, dubbed “SHARPEXT” by Volexity researchers has been linked to the North Korean-backed threat group, ‘SharpTongue’, which also goes by the name ‘Kimsuky’. SharpTongue has a history of targeting and victimizing individuals employed for organizations in the United States, Europe, and South Korea who work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.” According to the researchers, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue. Since its discovery, the extension has been growing and is currently at version 3.0, based on the internal versioning system. “SHARPEXT differs from previously documented extensions used by the ‘Kimsuky’ actor, in that it does not try to steal usernames and passwords. Rather, the malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it,” Volexity wrote in a blog post. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google Chrome. However, the latest version 3.0 supports Google Chrome, Microsoft Edge, and Naver’s Whale browsers and can steal email from both Gmail and AOL webmail. The attackers install the malicious extension on the victim’s device by replacing the browser’s Preferences and Secure Preferences files downloaded from the malware’s command-and-control (C2) server with those received from a remote server using a custom VBS script. Once the new preferences files are downloaded on the compromised device, the web browser quietly loads the SHARPEXT extension taking care to hide any warning messages about running developer mode extensions. This makes detection very difficult for the victim’s email provider if not impossible. “This is the first time Volexity has observed malicious browser extensions used as part of the post-exploitation phase of a compromise. By stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging,” the researchers said. “Similarly, the way in which the extension works means suspicious activity would not be logged in a user’s email “account activity” status page, were they to review it.” Measures To Keep Yourself Protected Online Volexity recommends the following to broadly detect and investigate such attacks:
Enable and analyze the results of PowerShell ScriptBlock logging, as PowerShell plays a key role in the setup and installation of the malware. This could be useful for the identification and triage of malicious activity. Do a periodic review of installed extensions on machines of high-risk users to identify those not available on the Chrome Web Store or loaded from unusual paths.
To prevent these specific attacks, the security firm suggests the following:
Use the YARA rules here to detect related activity. Block the IOCs listed here.