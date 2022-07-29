



A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal email from Google Chrome or Microsoft Edge users reading webmail.

This extension, called SHARPEXT by Volexity researchers who discovered the campaign in September, supports three Chromium-based web browsers (Chrome, Edge, and Whale) and steals email from Gmail and AOL accounts. can do.

An attacker uses a custom VBS script to compromise the target system, then replaces the “Preferences” and “Secure Preferences” files with files downloaded from the malware’s command and control server to install malicious extensions. To do.

The web browser automatically loads the SHARPEXT extension when a new configuration file is downloaded to the infected device.

“Malware directly inspects and steals that data when browsing the victim’s webmail account,” Volexity said Thursday.

“Since its discovery, the extension has evolved and is now version 3.0 based on its internal version control system.”

As Volexity further revealed today, this latest campaign was previously to deploy SHARPEXT in “targeted attacks on foreign policy, nuclear and other strategically interested individuals” in the United States, Europe and South Korea. Matches the Kimsuky attack.

SHARPEXT Workflow (Volexity) Stealth and highly effective attack

By stealing email using the target’s already logged-in session, the attack remains undetected by the victim’s email provider, making it extremely difficult to detect, if not impossible.

Also, the extension workflow does not trigger suspicious activity alerts on the victim’s account. This will prevent malicious activity from being detected by looking at alerts on the status page of your webmail account.

North Korean threat actors can use SHARPEXT to collect a variety of information using the following commands:

List previously collected emails from victims to prevent duplicate uploads. This list is continually updated when you run SHARPEXT. Lists email domains that the victim has previously communicated with. This list is continually updated when you run SHARPEXT. Gather a blacklist of email senders that should be ignored when collecting emails from victims. Add the domain to the list of all domains viewed by the victim. Upload the new attachment to the remote server. Upload your Gmail data to a remote server. Comments by the attacker. You will receive a list of stolen attachments. Upload AOL data to a remote server.

This is not the first time a North Korean APT group has used browser extensions to collect and steal sensitive data from targeted compromised systems.

As Netscout’s ASERT team stated in December 2018, Kimsuky’s spear phishing campaign has been malicious in attacks targeting a large number of academic societies across multiple universities, at least since May 2018. I pushed the Chrome extension.

CISA also issues alerts focused on the group’s tactics, techniques, and procedures (TTP), and the group uses malicious browser extensions to steal credentials and cookies from the victim’s web browser. I emphasize that.

