Researchers have discovered never-before-seen malware that North Korean hackers are using to surreptitiously read and download emails and attachments from infected users’ Gmail and AOL accounts.
The malware, dubbed SHARPEXT by researchers at security firm Volexity, uses clever ways to install a browser extension for Chrome and Edge browsers, Volexity reported in a blog post. The extension cannot be detected by email services, and since the browser has already been authenticated using all multi-factor authentication protections in place, this increasingly popular security measure plays no role. within the limitation of account compromise.
The malware has been in use for “well over a year,” Volexity said, and is the work of a hacking group the company tracks under the name SharpTongue. The group is sponsored by the government of North Korea and straddles a group followed as Kimsuky by other researchers. SHARPEXT targets organizations in the United States, Europe, and South Korea that work on nuclear weapons and other issues that North Korea deems important to its national security.
Volexity president Steven Adair said in an email that the extension was installed “through spear phishing and social engineering where the victim is tricked into opening a malicious document. Previously, we’ve seen DPRK threat actors launch spear phishing attacks where the goal was to trick the victim into installing a browser extension rather than a post-exploitation mechanism for persistence and data theft.” In its current incarnation, the malware only works on Windows, but Adair said there’s no reason it can’t be extended to also infect browsers running macOS or Linux.
The blog post adds: “Volexity’s own visibility shows that the extension was quite successful, as logs obtained by Volexity show that the attacker managed to steal thousands of emails from multiple victims through the deployment malware.
Installing a browser extension during a phishing operation without the end user noticing is not easy. SHARPEXT developers clearly paid attention to research like what is published here, hereand here, which shows how a security mechanism in the Chromium browser engine prevents malware from changing sensitive user settings. Every time a legitimate change is made, the browser takes a cryptographic hash of some part of the code. On startup, the browser checks the hashes, and if any of them don’t match, the browser requests that the old settings be restored.
For attackers to bypass this protection, they must first extract the following items from the computer they are compromising:
- A copy of the browser’s resources.pak file (which contains the HMAC seed used by Chrome)
- The users S-ID value
- The user’s original system preferences and secure preferences files
After modifying the preference files, SHARPEXT automatically loads the extension and runs a PowerShell script that enables DevTools, a setting that allows the browser to run custom code and settings.
“The script runs in an infinite loop checking processes associated with targeted browsers,” Volexity explained. “If any targeted browsers are found running, the script checks the tab title for a specific keyword (e.g. ‘05101190’ or ‘Tab+’ depending on SHARPEXT version). The specific keyword is inserted into the title by the malware extension when an active tab changes or when a page is loaded.”
The message continued:
The strikes sent are equivalent to
Control+Shift+J, the shortcut to activate the DevTools panel. Finally, the PowerShell script hides the newly opened DevTools window using the ShowWindow() API and the
SW_HIDEflag. At the end of this process, DevTools is activated on the active tab, but the window is hidden.
Additionally, this script is used to hide all windows that might alert the victim. Microsoft Edge, for example, periodically displays a warning message to the user (Figure 5) if extensions are running in developer mode. The script constantly checks if this window appears and hides it using the command
Once installed, the extension can perform the following requests:
|HTTP POST data||The description|
|mode=list||List emails previously collected from the victim to ensure duplicates are not uploaded. This list is continuously updated as SHARPEXT runs.|
|mode=domain||List the email domains with which the victim has already communicated. This list is continuously updated as SHARPEXT runs.|
|fashion=black||Collect a blacklist of email senders who should be ignored while collecting victim emails.|
|mode=newD&d=[data]||Add a domain to the list of all domains viewed by the victim.|
|mode=attach&name=[data]&idx=[data]&body=[data]||Upload a new attachment to the remote server.|
|fashion=new&mid=[data]&mbody=[data]||Upload Gmail data to the remote server.|
|mode=attlist||Commented by the aggressor; receive a list of attachments to exfiltrate.|
|mode=new_aol&mid=[data]&mbody=[data]||Upload AOL data to the remote server.|
SHARPEXT allows hackers to create ignore lists of email addresses and keep track of emails or attachments that have already been stolen.
Volexity created the following summary of the orchestration of the various SHARPEXT components it analyzed:
The blog post provides images, filenames, and other indicators that trained individuals can use to determine if they have been targeted or infected with this malware. The company has warned that the threat it poses has grown over time and isn’t expected to go away anytime soon.
“When Volexity first encountered SHARPEXT, it appeared to be an early development tool with numerous bugs, an indication that the tool was immature,” the company said. “The latest updates and ongoing maintenance demonstrate that the attacker is achieving its goals, finding value by continuing to refine it.”