Researchers have discovered never-before-seen malware that North Korean hackers used to secretly read and download emails and attachments from infected users’ Gmail and AOL accounts.
The malware, dubbed SHARPEXT by security firm Volexity researchers, uses clever means to install a browser extension for Chrome and Edge browsers, Volexity reported in blog post. The extension cannot be detected by email services, and since the browser is already authenticated using any multi-factor authentication protections, this increasingly popular security measure plays no role in limiting account compromise.
The malware has been in use for “well over a year,” Volexity said, and is the work of a hacking group the company tracks as SharpTongue. The group is sponsored by the North Korean government and overlaps with a group traced as Kimsuky by other researchers. SHARPEXT targets organizations in the US, Europe and South Korea that work on nuclear weapons and other issues that North Korea considers important to its national security.
Volexity President Stephen Adair said in an email that the extension is installed “through phishing and social engineering, where the victim is tricked into opening a malicious document. We’ve previously seen threats from North Korea launch phishing attacks that aim to get the victim to install a browser extension instead of being a post-exploit mechanism for persistence and data theft.” In its current incarnation, the malware only runs on Windows , but Adair said there’s no reason it couldn’t be extended to also infect browsers running on macOS or Linux.
The blog post added: “Volexity’s own visibility indicates that the extension was quite successful, as the logs obtained by Volexity show that the attacker was able to successfully steal thousands of emails from multiple victims through the malware deployment.”
Installing a browser extension during a phishing operation without the end user noticing is not easy. The developers of SHARPEXT have obviously paid attention to research like what is being published here, hereand here, which shows how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Whenever a legitimate change is made, the browser takes a cryptographic hash of a piece of code. At startup, the browser checks the hashes, and if any of them don’t match, the browser asks to restore the old settings.
In order for attackers to bypass this protection, they must first extract the following from the computer they are compromising:
- A copy of the browser’s resources.pak file (which contains the HMAC seed code used by Chrome)
- To the user S-ID value
- The original preference files and security preferences from the user’s system
After you change the preference files, SHARPEXT automatically loads the extension and runs a PowerShell script that enables DevTools, a setting that allows the browser to run custom code and settings.
“The script runs in an infinite loop, checking for processes associated with the target browsers,” explained Volexity. “If working target browsers are found, the script checks the tab title for a specific keyword (eg ‘05101190’ or ‘Tab+’ depending on SHARPEXT version). The specific keyword is inserted into the title by a malicious extension when an active tab is changed or when a page is loaded.”
The post continues:
Sent keystrokes are equivalent to
Control+Shift+J, the shortcut to activate the DevTools panel. Finally, the PowerShell script hides the newly opened DevTools window by using ShowWindow() API. and on
SW_HIDEflag. At the end of this process, DevTools is enabled in the active tab, but the window is hidden.
In addition, this script is used to hide any windows that could alert the victim. Microsoft Edge, for example, periodically displays a warning message to the user (Figure 5) if extensions are running in developer mode. The script constantly checks if this window appears and hides it using the
Once installed, the extension can perform the following requests:
|HTTP POST data||Description|
|mode=list||List previously collected emails from the victim to ensure no duplicates are uploaded. This list is continuously updated while SHARPEXT is running.|
|mode=domain||A list of email domains the victim has previously communicated with. This list is continuously updated while SHARPEXT is running.|
|mode=black||Compile a blacklist of email senders to be ignored when collecting email from the victim.|
|mode=newD&d=[data]||Add a domain to the list of all domains viewed by the victim.|
|mode=attach&name=[data]&idx=[data]&body=[data]||Upload a new attachment to the remote server.|
|mode=new&mid=[data]&mbody=[data]||Upload data from Gmail to the remote server.|
|mode=attlist||Commented by the attacker; you get a list of attachments to be exfiltrated.|
|mode=new_aol&mid=[data]&mbody=[data]||Upload AOL data to the remote server.|
SHARPEXT allows hackers to create lists of email addresses to ignore and monitor emails or attachments that have already been stolen.
Volexity produced the following summary of the orchestration of the various SHARPEXT components it is analyzing:
The blog post provides images, file names and other indicators that trained people can use to determine if they have been targeted or infected by this malware. The company warned that the threat it poses has grown over time and isn’t likely to go away anytime soon.
“When Volexity first encountered SHARPEXT, it appeared to be an early development tool containing multiple bugs, an indication that the tool was immature,” the company said. “Recent updates and ongoing support show that the attacker is achieving their goals, finding value in continuing to improve it.”