A North Korean-backed threat group tracked as Kimsuky is stealing emails from Google Chrome or Microsoft Edge users browsing their webmail accounts using a malicious browser extension.
The extension, dubbed SHARPEXT by Volexity researchers who spotted this campaign in September, supports three Chromium-based web browsers (Chrome, Edge, and Whale) and can steal mail from Gmail and AOL accounts.
The attackers install the malicious extension after compromising a target’s system using a custom VBS script by replacing the ‘Preferences’ and ‘Secure Preferences’ files with ones downloaded from the malware’s command-and-control server.
Once the new preferences files are downloaded on the infected device, the web browser automatically loads the SHARPEXT extension.
“The malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it,” Volexity said Thursday.
“Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system.”
As Volexity further revealed today, this latest campaign aligns with previous Kimsuky attacks as it also deploys the SHARPEXT “in targeted attacks on foreign policy, nuclear and other individuals of strategic interest.”
Stealthy and highly effective attacks
By taking advantage of the target’s already-logged-in session to steal emails, the attack remains undetected by the victim’s email provider, thus making detection very challenging if not impossible.
Also, the extension’s workflow will not trigger any suspicious activity alerts on the victims’ accounts which ensures that the malicious activity will not be discovered by checking the webmail account’s status page for alerts.
The North Korean threat actors can use SHARPEXT to collect a wide range of information using commands that:
List previously collected emails from the victim to ensure duplicates are not uploaded. This list is continuously updated as SHARPEXT executes.
List email domains with which the victim has previously communicated. This list is continuously updated as SHARPEXT executes.
Collect a blacklist of email senders that should be ignored when collecting emails from the victim.
Add a domain to the list of all domains viewed by the victim.
Upload a new attachment to the remote server.
Upload Gmail data to the remote server.
Commented by the attacker; receive an attachments list to be exfiltrated.
Upload AOL data to the remote server.
This is not the first time the North Korean APT group has used browser extensions to harvest and exfiltrate confidential data from targets’ breached systems.
As Netscout’s ASERT Team said in December 2018, a spear-phishing campaign orchestrated by Kimsuky pushed a malicious Chrome extension since at least May 2018 in attacks targeting a large number of academic entities across multiple universities.
CISA has also issued an alert focused on the group’s tactics, techniques, and procedures (TTPs), highlighting the group’s use of malicious browser extensions to steal credentials and cookies from victims’ web browsers.