Researchers unearthed never-before-seen malware that North Korean hackers used to secretly read and download emails and attachments from infected users’ Gmail and AOL accounts.
The malware, dubbed SHARPEXT by researchers at security firm Volexity, uses clever means to install a browser extension for the Chrome and Edge browsers, Volexity reported in a blog post. The extension cannot be detected by email services, and because the browser has already been authenticated using multi-factor authentication protections in place, this increasingly popular security measure plays no role in curbing account compromise.
The malware has been in use for “well over a year,” Volexity said, and it’s the work of a group of hackers that the company tracks as SharpTongue. The group is sponsored by the North Korean government and overlaps with a group tracked down as Kimsuky by other researchers. SHARPEXT targets organizations in the United States, Europe, and South Korea that work on nuclear weapons and other issues that North Korea believes are important to its national security.
Volexity President Steven Adair said in an email that the extension is installed “through spear phishing and social engineering in which the victim is tricked into opening a malicious document. We have previously seen threat actors from the DPRK launch spear phishing attacks where the whole goal was to get the victim to install a browser extension rather than being a post-exploitation mechanism for persistence and data theft. ” In its current incarnation, the malware only works on Windows, but Adair said there’s no reason it can’t be extended to infect browsers running on macOS or Linux as well.
The blog post added: “Volexity’s visibility shows that the extension has been quite successful, as records obtained by Volexity show that the attacker was able to successfully steal thousands of emails from multiple victims. through the implementation of malware “.
Installing a browser extension during a phishing operation without the end user noticing is not easy. The SHARPEXT developers have clearly paid attention to research such as what’s posted here, here and here, which shows how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Whenever a legitimate change is made, the browser acquires a cryptographic hash of some of the code. At startup, the browser checks the hashes and, if any of them do not match, the browser requests that the old settings be restored.
To bypass this protection, attackers must first extract the following from the computer they are compromising:
- A copy of the resources.pak file from the browser (which contains the HMAC seed used by Chrome)
- The user’s S-ID value
- The original Preferences and Secure Preferences files from the user’s system
After editing the preferences files, SHARPEXT automatically loads the extension and runs a PowerShell script that enables DevTools, a setting that allows the browser to run custom code and settings.
“The script runs in an infinite loop checking the processes associated with the target browsers,” Volexity explained. “If a targeted browser is detected running, the script checks the tab title for a specific keyword (e.g. ‘05101190’ or ‘Tab +’ depending on the SHARPEXT version). The specific keyword is inserted in the title by the malicious extension when an active tab changes or when a page is loaded. “
The post continued:
The keystrokes sent are equivalent to
Control+Shift+J, the link to enable the DevTools panel. Finally, the PowerShell script hides the newly opened DevTools window using the ShowWindow () API and the
SW_HIDEflag. After this process is complete, DevTools is enabled in the active tab, but the window is hidden.
Also, this script is used to hide any windows that might alert the victim. Microsoft Edge, for example, periodically displays a warning message to the user (Figure 5) if extensions are running in developer mode. The script constantly checks if this window appears and hides it using the
Once installed, the extension can perform the following requests:
|HTTP POST data||Description|
|mode = list||List previously collected emails from victim to ensure duplicates are not uploaded. This list is continuously updated while SHARPEXT is running.|
|mode = domain||List the email domains the victim previously communicated with. This list is continuously updated while SHARPEXT is running.|
|mode = black||Collect a blacklist of email senders that should be ignored while collecting emails from the victim.|
|mode = newD & d =[data]||Add a domain to the list of all domains displayed by the victim.|
|mode = attach & name =[data]& idx =[data]& body =[data]||Upload a new attachment to the remote server.|
|mode = new & medium =[data]& mbody =[data]||Upload your Gmail data to the remote server.|
|mode = list of att||Commented by the attacker; receive a list of attachments to exfiltrate.|
|mode = new_aol & mid =[data]& mbody =[data]||Upload AOL data to the remote server.|
SHARPEXT allows hackers to create ignore email address lists and track emails or attachments that have already been stolen.
Volexity created the following orchestration summary of the various SHARPEXT components analyzed:
The blog post provides images, filenames, and other indicators that trained people can use to determine if they have been targeted or infected with this malware. The company has warned that the threat it poses has grown over time and is not likely to go away anytime soon.
“When Volexity first encountered SHARPEXT, it appeared to be an early development tool containing numerous bugs, an indication that the tool was immature,” the company said. “The latest updates and ongoing maintenance show that the striker is achieving his goals, finding value in continuing to refine him.”