Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts

A threat actor operating with interests aligned with North Korea has been deploying a malicious extension on Chromium-based web browsers that’s capable of stealing email content from Gmail and AOL.

Cybersecurity firm Volexity attributed the malware to an activity cluster it calls SharpTongue, which is said to share overlaps with an adversarial collective publicly referred to under the name Kimsuky.

SharpTongue has a history of singling out individuals working for organizations in the U.S., Europe, and South Korea who “work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea,” researchers Paul Rascagneres and Thomas Lancaster said.

Kimsuky‘s use of rogue extensions in attacks is not new. In 2018, the actor was seen utilizing a Chrome plugin as part of a campaign called Stolen Pencil to infect victims and steal browser cookies and passwords.

But the latest espionage effort is different in that it employs the extension, named Sharpext, to plunder email data. “The malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it,” the researchers noted.

Targeted browsers include Google Chrome, Microsoft Edge, and Naver’s Whale browsers, with the mail-theft malware designed to harvest information from Gmail and AOL sessions.

Installation of the add-on is accomplished by means of replacing the browser’s Preferences and Secure Preferences files with those received from a remote server following a successful breach of a target Windows system.

This step is succeeded by enabling the DevTools panel within the active tab to steal email and attachments from a user’s mailbox, while simultaneously taking steps to hide any warning messages about running developer mode extensions.

Volexity characterized the campaign as “quite successful,” citing the attacker’s ability to “steal thousands of emails from multiple victims through the malware’s deployment.”

“This is the first time Volexity has observed malicious browser extensions used as part of the post-exploitation phase of a compromise,” the researchers said. “By stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging.”

The findings arrive several months after the Kimsuky actor was connected to intrusions against political institutions located in Russia and South Korea to deliver an updated version of a remote access trojan known as Konni.

Then last week, cybersecurity firm Securonix took the wraps off an ongoing set of attacks exploiting high-value targets, including the Czech Republic, Poland, and other countries, as part of a campaign codenamed STIFF#BIZON to distribute the Konni malware.

While the tactics and tools used in the intrusions point to a North Korean hacking group called APT37, evidence gathered pertaining to the attack infrastructure suggests the involvement of the Russia-aligned APT28 (aka Fancy Bear or Sofacy) actor.

“In the end, what makes this particular case interesting is the usage of Konni malware in conjunction with tradecraft similarities to APT28,” the researchers said, adding it could be a case of one group masquerading as another in order to confuse attribution and escape detection.

Found this article interesting? Follow THN on Facebook, Twitter ď‚™ and LinkedIn to read more exclusive content we post.

Related News

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

German politicians and political parties have been using data about Facebook users’ political preferences to deliver microtargeted advertisements, a watchdog…
Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Companies in every industry continue to leave backup and storage platforms unsecured, with more than a dozen issues, including insecure network…
The Board of Directors Will See You Now

The Board of Directors Will See You Now

For more than 15 years, the cybersecurity industry has been talking about communicating with the board of directors. It’s common…