SharpTongue, a North Korean-backed threat group, has been discovered to be responsible for the SHARPEXT malware.
SHARPEXT is a malware that masks itself as a browser extension. This malware can infiltrate a user's Gmail and AOL accounts.
It was discovered that these threat actors were making use of the SHARPEXT malware, which gives them the ability to read and download email along with attachments from the accounts of users who have been infected.
The researchers working for Volexity were the first people to investigate these new avenues in depth and find them.
According to ArsTechnica, the malware has been detected for a year, Volexity said that SharpTongue is backed by the government of North Korea, and its activities overlap with those of a group known to other researchers as Kimsuky.
North Korea's SharpTongue Group
North Korea's SharpTongue threat group has been discovered to target specific individuals who are working on topics regarding North Korea's strategic interests, nuclear projects, and weapons from countries like South Korea, United States, and Europe.
Through responding to numerous attacks, Volexity has discovered that the malware SharpTongue deploys a malicious Microsoft Edge or Google Chrome extension called "SHARPEXT".
SHARPEXT is distinct from other extensions that have been documented as having been utilized by the "Kimsuky'' actor because it does not make an attempt to steal usernames and passwords. Instead, the malware directly examines and steals information from the webmail account of a victim while they are using it to browse the internet.
Volexity's initial analysis of SHARPEXT found that the malware only supported the Google Chrome web browser. However, Whale, Edge, and Chrome are the three web browsers that are supported by the most recent version, which is 3.0 according to the internal versioning.
People are familiar with Edge and Chrome as well-known browsers, but people from South Korea almost exclusively use the first browser, which is called "Whale." "Whale" was developed by Naver and is used by people from South Korea.
North Korea's Customized Attacks
The email service providers are usually not aware of the attack because it takes place while the user is already logged in, so detection is extremely difficult. The stolen email data is then sent to the attacker.
Additionally, because of the way the extension operates, any suspicious activity that may have occurred with the user's email account will not be logged in the "account activity".
According to Volexity, the attacker needs to first gain access to the original browser security preferences file of the victim before they can deploy SHARPEXT. The rollout process is highly personalized. After that, this file is altered, and it is then utilized to carry out the malicious extension's deployment.
Volexity has observed these hackers for some time now. In each instance, a specialized folder is created for the infected user that contains the necessary files for the extension.
It is recommended to do the following in order to detect and investigate attacks of this type:
The activation of PowerShell ScriptBlock logging and the subsequent analysis of its results may prove beneficial for the detection and prioritization of malicious activity.
It may be a good idea for security teams to review the extensions that are installed on the devices of high risk individuals in order to identify extensions that are not available on the Chrome Web Store or that were loaded from an unusual path.