North Korean hackers use browser extensions to spy on Gmail and AOL accounts

Cybersecurity agency Volexity noticed new exercise from a risk actor (TA) allegedly linked to North Korea deploying malicious extensions on Chrome-based browsers.

A latest tip from safety researchers known as this new one TA SharpTongue, regardless of it being publicly listed underneath the identify Kimsuky.

Volexity mentioned it steadily observes Sharptong focusing on folks working in organizations in the USA, Europe and South Korea.

Particularly, TA reportedly targets people and firms engaged on subjects associated to North Korea, nuclear points, weapons methods, and different strategic issues for North Korea.

The brand new advisory additionally explains that, whereas SharpTongue’s toolset is nicely documented in public sources, in September 2021, Volexity started monitoring a household of undocumented malware utilized by SharpTongue dubbed “SHARPEXT.”

“SHARPEXT differs from the beforehand documented extension utilized by the “Kimsuky” actor in that it doesn’t try and steal usernames and passwords,” the advisory explains.

“Somewhat, the malware straight checks and filters a sufferer’s webmail account data because it searches for it.”

Since its discovery, Volexity claims that the extension has advanced and is at present at model 3.0, based mostly on the interior versioning system.

In actual fact, the primary model of SHARPEXT researched by Volexity solely helps Google Chrome, whereas the most recent model helps Chrome, Edge, and Whale (a Chromium-based browser used nearly completely in South Korea).

So far as deployment ways are involved, attackers first manually filter the recordsdata wanted to put in the extension from the contaminated workstation. SHARPEXT is then put in manually by an attacking VBS script.

And whereas using malicious browser extensions by North Korean risk actors is nothing new, that is the primary time Volexity has noticed malicious browser extensions getting used as a part of the post-exploitation part of a compromise.

“By stealing e-mail knowledge from the context of a beforehand logged-in person session, the assault is hidden from the e-mail supplier, making detection very tough,” the safety researchers defined.

To detect and examine assaults, Volexity really helpful enabling and analyzing the outcomes of PowerShell Scriptblock logging and periodic assessment of put in extensions on units of compromised customers.

Attainable mitigation methods embody utilizing YARA-specific guidelines to establish related actions and stopping indicators of compromise (IoC) listed right here.

About the author


Leave a Comment