North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts

Written by

Cybersecurity firm Volexity spotted new activity from a threat actor (TA) allegedly associated with North Korea and deploying malicious extensions on Chromium-based web browsers.

A recent advisory from the security researchers dubbed this new TA SharpTongue, despite it being publicly referred to under the name Kimsuky.

Volexity said it frequently observed SharpTongue targeting individuals working for organizations in the US, Europe and South Korea. 

Particularly, the TA would reportedly victimize individuals and companies who work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.

The new advisory also clarifies that, while SharpTongue's tool-set is well documented in public sources, in September 2021, Volexity began observing an undocumented malware family used by SharpTongue dubbed “SHARPEXT”.

“SHARPEXT differs from previously documented extensions used by the "Kimsuky" actor, in that it does not try to steal usernames and passwords,” explains the advisory.

“Rather, the malware directly inspects and exfiltrates data from a victim's webmail account as they browse it.”

Since its discovery, Volexity claims the extension has evolved and is currently at version 3.0, based on the internal versioning system. 

In fact, the first versions of SHARPEXT investigated by Volexity only supported Google Chrome, while the latest version supports Chrome, Edge, and Whale (a Chromium-based browser almost exclusively used in South Korea). 

As far as deployment tactics are concerned, attackers first manually exfiltrate files required to install the extension from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.

And while the use of malicious browser extensions by North Korean threat actors is not new, this is the first time Volexity observed malicious browser extensions used as part of the post-exploitation phase of a compromise. 

“By stealing email data in the context of a user's already-logged-in session, the attack is hidden from the email provider, making detection very challenging,” the security researchers explained.

To detect and investigate attacks, Volexity recommended enabling and analyzing the results of PowerShell ScriptBlock logging and periodically reviewing installed extensions on machines of high-risk users.

Possible mitigation strategies include the use of specific YARA rules to detect related activity and blocking the Indicators of Compromise (IoC) listed here.

Responding to the report, a Google spokesperson commented: “The extension in question is not in the Chrome store, and this report does not identify an exploit in Gmail. It speaks to a scenario where a system needs to already be compromised – by spear phishing or social engineering – in order for the malicious extension to be deployed. Enabling anti-malware services and using security hardened operating systems like ChromeOS are best practices to prevent this and similar types of attacks."  

What’s hot on Infosecurity Magazine?