North Korean-linked Gmail spyware ‘Sharpext’ harvesting sensitive e-mail content
A malicious browser extension linked to North Korea has been operating undetected to steal data from Gmail and AOL sessions.
The extension, dubbed ‘Sharpext’ by researchers, monitors webpages to automatically parse any and all emails and attachments from victims’ mailboxes.
It poses a particularly serious threat to machines used by organisations for business operations, as all sensitive information sent via e-mail has the potential to be stolen. Targets have so far been identified within the US, EU and South Korea.
Cyber security firm Volexity revealed the spyware’s existence in a blog post, and linked it to a threat actor tracked by Volexity operating under the name SharpTongue, but known publicly as Kimsuky. This entity is believed to be North Korean in origin, and the researchers have linked SharpTongue to attacks on targets linked to national security.
ArsTechnica reports Volexity president Steven Adair as stating that Sharpext is installed through “spear phishing and social engineering where the victim is fooled into opening a malicious document”. Phishing is a common vector used to deliver malicious programmes, such as LockBit 2.0 which has been distributed by e-mail disguised as PDFs.
To lay the groundwork for the extension, the threat actor manually exfiltrates files such as the user’s preferences and secure preferences. These are changed to include exceptions for the malicious extension and then downloaded back onto the infected machine through the malware’s command and control (C2) infrastructure.
Once the original files have been switched for these copies, Sharpext is loaded directly from the victim’s appdata folder. Once active, the extension executes code directly from the C2 server, which has the benefit of preventing antivirus software from discovering malicious code within the extension itself.
Additionally, running code in this way allows the threat actor to regularly update the code without having to reinstall newer versions of the extension onto infected systems. Indeed, the extension is currently in its third iteration, with previous versions more limited in their browser and mail client compatibility.
At present, Sharpext supports Google Chrome and Microsoft Edge, as well as a browser called Whale that’s reasonably popular in South Korea but not in other countries.
The extension only activates when a Chromium browser is running, and utilises listeners to monitor activity to ensure that only e-mail data is stolen. Global variables track the e-mails, e-mail addresses and attachments that have already been exfiltrated, so as to prevent unnecessary duplication of data.
In addition to its exfiltration functions, the extension deploys a Powershell script that constantly checks for compatible browser processes, and if found runs a keystroke script that opens the DevTools panel.
Simultaneously, another script works to hide the DevTools window, and anything that could make the victim suspicious, such as Edge’s warning that an extension is running in developer mode.
Volexity has advised security teams within organisations to review extensions regularly, especially those installed on machines connected to highly-sensitive information.
© Dennis Publishing