North Korea linked threat actor has seen using a malicious extension on Chromium-based web browsers to spy on victims’ Gmail and AOL email accounts.
Threat actor dubbed as SharpTongue, with most of its operation overlaps with the Kimsuky APT group. Threat actors used a malicious Google Chrome or Microsoft Edge extension tracked as “SHARPEXT”.
SHARPEXT does not try to steal usernames and passwords, but, it accesses the victim’s webmail account as they browse it. The current version of the extension supports three web browsers and is able to steal the content of e-mails from both Gmail and AOL webmail.
The attack chain begins with attackers manually exfiltrating files required to install the extension from the infected workstation. Once breached a target Windows system, the attackers replace the browser’s Preferences and Secure Preferences.
Attackers then manually install SHARPEXT using a VBS script. Threat actors enable the DevTools panel within the active tab to spy on the email content and steal attachments from a victim’s mailbox. This action is done using a PowerShell script named dev.ps1. The attackers also hide warning messages running developer mode extensions.
At first seen SHARPTEXT, seemed to be a tool in early development containing numerous bugs, an indication the tool was immature. The latest updates and ongoing maintenance demonstrate the attacker is achieving its goals, finding value in continuing to refine it.
This is the first time the threat actor used malicious browser extensions as part of the post-exploitation phase. Stealing email data from a user’s already-logged-in session, makes this attack stealthy and hard to be detected by the email provider.
This research done and documented by Volexity threat intel
Indicators Of Compromise