Cyber security company Volexity discovered a new malware used by hackers from North Korea to covertly read mail. Emails and attachments from Gmail and AOL accounts were at risk.
The program, called SHARPEXT, uses “smart” means to install extensions for Chrome and Edge browsers. The email service cannot detect the extension, and since the browser is already authenticated, even multi-factor security cannot prevent data theft.
Volexity reports that the malware has been in operation for over a year. It was developed by SharpTongue, a group funded by the North Korean government. The program targeted organizations in the US, Europe and South Korea that work on nuclear weapons and other issues important to North Korea’s security.
According to the president of Volexity, the extension is installed “by way of spear phishing and social engineering where the victim is fooled into opening a malicious document. Previously we have seen DPRK threat actors launch spear phishing attacks where the entire objective was to get the victim to install a browser extension vs it being a post exploitation mechanism for persistence and data theft.”
The malware currently only works on Windows, but experts warn that hackers could expand it to infect browsers running on Linux and iOS. To bypass browser protection, attackers must first obtain a copy of the resources.pak file, the SID number, and the original security settings files from the user’s system.
After changing the settings files, SHARPEXT automatically downloads the extension. The program allows hackers to create lists of email addresses to ignore and track already stolen emails or attachments. Researchers warn that the threat posed by this tool is evolving and unlikely to disappear anytime soon.