Google Chrome Extension Used To Steal Emails

A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail. 

The extension, named SHARPEXT by Volexity researchers who spotted this campaign in September, supports three Chromium-based web browsers (Chrome, Edge, and Whale) and can steal mail from Gmail and AOL accounts.

The attackers install the malicious extension after compromising a target's system using a custom VBS script by replacing the 'Preferences' and 'Secure Preferences' files with ones downloaded from the malware's command-and-control server.

Once the new preferences files are downloaded on the infected device, the web browser automatically loads the SHARPEXT extension. "The malware directly inspects and exfiltrates data from a victim's webmail account as they browse it," the threat intelligence firm Volexity has disclosed. "Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system."

According to Volexity this campaign aligns with previous Kimsuky attacks as it also deploys the SHARPEXT "in targeted attacks on foreign policy, nuclear and other individuals of strategic interest" in the United States, Europe, and South Korea.

Very Effective Attacks

The hackers use the target's logged-in session to steal emails, the hacker remains unseen by the victim's email provider, thus making detection particularly challenging, if not impossible. The North Korean threat actors can use SHARPEXT to collect a wide range of information using commands that collected emails from the victim to ensure duplicates are not uploaded. This list is continuously updated as SHARPEXT executes hacking exploits.

This is not the first time the N. Korean group has used browser extensions to harvest and exfiltrate confidential data from targets' breached systems. In 2018 researchers at NetScout identified a spear-phishing campaign orchestrated by Kimsuky pushed a malicious Chrome extension in attacks targeting a large number of academic institutions.

The Cybersecurity & Infrastructure Security Agency (CISA) has  issued an Alert focused on the group's tactics, techniques, and procedures (TTPs), highlighting the group's use of malicious browser extensions to steal credentials and cookies from victims' web browsers. “This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky, against worldwide targets, to gain intelligence on various topics of interest to the North Korean government”, says the CISA Alert. 

CISA:        Netscout:    Volexity:     Volexity:    Trendradars:     Stetson:    Masterjitips:    Bleeping Computer

 You Might Also Read: 

Google’s Emergency Update For Chrome:

 

« Mercenary Hacking Group Selling Spyware
Flunking Cyber Education »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Information Security Systems (ISSCOM)

Information Security Systems (ISSCOM)

ISSCOM provide services to help companies implement Information Security Management Systems (ISMS) by providing consultancy and hands-on assistance.

Evidian

Evidian

Evidian, a Bull Group company, is the European leader and one of the major worldwide vendors of identity and access management software.

Council of Europe - Cybercrime Programme Office (C-PROC)

Council of Europe - Cybercrime Programme Office (C-PROC)

The Cybercrime Programme Office of the Council of Europe is responsible for assisting countries worldwide in strengthening their legal systems capacity to respond to cybercrime

Nixu

Nixu

Nixu is the largest Nordic specialist company in information security consulting.

GlobalSequr

GlobalSequr

GlobalSequr is an IT security consulting firm. We have a goal of demystifying the complexity of IT security.

TÜV Informationstechnik (TÜViT)

TÜV Informationstechnik (TÜViT)

TÜViT is a leading service provider in the IT sector offering unbiased and independent tests and certifications of IT products, hardware, software, systems and processes.

Comarch

Comarch

Comarch is a provider of IT business solutions to optimize operational and business processes. Cyber security solutions are focused on Identity Management and Security Assessment services.

Echoworx

Echoworx

Echoworx primary and exclusive focus is providing organizations with secure email services.

Corsa Security

Corsa Security

Corsa Security is leading the transformation of network security with a private cloud approach that helps scale network security services with unwavering performance and flexibility.

Foreseeti

Foreseeti

Foreseeti is Europe’s leading provider of Automated Threat Modeling and Attack Simulation solutions.

Tarian Underwriting

Tarian Underwriting

Tarian Underwriting is a specialist provider of tailored insurance solutions for cyber and technology risks.

DataTribe

DataTribe

DataTribe is a cyber startup foundry, leveraging deep experience and expertise to build and launch successful product companies.

Document Security Systems (DSS)

Document Security Systems (DSS)

DSS anti-counterfeit, authentication, and brand protection solutions are deployed to prevent attacks which threaten products, digital presence, financial instruments, and identification.

Slice

Slice

Slice offer subscription based Cyber Insurance for small businesses.

ProLion

ProLion

ProLion provides Data Integrity solutions that ensure organisations’ data remains secure, compliant, manageable and accessible.

Security & Intelligence Division (SID) - Singapore

Security & Intelligence Division (SID) - Singapore

Security & Intelligence Division (SID) protects Singapore from external threats and safeguards its interests in areas related to terrorism, cyber security, other transnational threats, and geopolitics