Researchers have discovered never-before-seen malware that North Korean hackers have been using to surreptitiously read and download emails and attachments from the Gmail and AOL accounts of infected users.
The malware, dubbed SHARPEXT by researchers at security firm Volexity, uses clever means to install a browser extension for the Chrome and Edge browsers, Volexity reported in a blog post. Email services cannot detect the extension, and since the browser has already been authenticated using existing multi-factor authentication protections, this increasingly popular security measure plays no role in stopping account compromise.
The malware has been in use for “more than a year,” Volexity said, and is the work of a hacker group the company tracks as SharpTongue. The group is sponsored by the North Korean government and overlaps with a group tracked as Kimsuky by other researchers. SHARPEXT is targeting organizations in the US, Europe, and South Korea that work on nuclear weapons and other issues that North Korea considers important to its national security.
Volexity president Steven Adair said in an email that the extension is installed “via spear phishing and social engineering where the victim is tricked into opening a malicious document. causing the victim to install a browser extension on rather than it being a post-exploitation mechanism for persistence and data theft.” In its current incarnation, the malware works only on Windows, but Adair said there’s no reason it can’t be expanded to infect browsers running on macOS or Linux as well.
The blog post added: “Volexity’s own visibility shows that the extension has been quite successful, as logs obtained by Volexity show that the attacker was able to successfully steal thousands of emails from multiple victims through the deployment of the malware. “.
Installing a browser extension during a phishing operation without the end user noticing is not easy. SHARPEXT developers have clearly paid attention to research such as that published here, here, and here, showing how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Every time a legitimate change is made, the browser performs a cryptographic hash of part of the code. At startup, the browser checks the hashes, and if any of them do not match, the browser asks to restore the previous settings.
In order for attackers to bypass this protection, they must first extract the following from the computer they are compromising:
- A copy of the browser’s resources.pak file (which contains the HMAC seed used by Chrome)
- The S-ID value of the user
- The original Preferences and Secure User System Preferences files
After modifying the preferences files, SHARPEXT automatically loads the extension and runs a PowerShell script that enables DevTools, a setting that allows the browser to run custom code and settings.
“The script runs in an infinite loop to check processes associated with the targeted browsers,” Volexity explained. “If any target browser is found running, the script checks the tab title for a specific keyword (for example, ‘05101190’ or ‘Tab+’ depending on the version of SHARPEXT). The specific keyword is inserted into the title by the malicious extension when an active tab changes or when a page loads.”
The post continued:
Keystrokes sent equals
Control+Shift+J, the shortcut to enable the DevTools panel. Finally, the PowerShell script hides the newly opened DevTools window by using the ShowWindow() API and the
SW_HIDEflag. At the end of this process, DevTools is enabled on the active tab, but the window is hidden.
Also, this script is used to hide any windows that might alert the victim. Microsoft Edge, for example, periodically displays a warning message to the user (Figure 5) if extensions are run in developer mode. The script constantly checks if this window appears and hides it using the
Once installed, the extension can make the following requests:
|HTTP POST data||Description|
|mode=list||List the victim’s previously collected emails to ensure no duplicates are uploaded. This list is continually updated as SHARPEXT is executed.|
|mode=domain||List the email domains with which the victim has previously communicated. This list is continually updated as SHARPEXT is executed.|
|mode=black||Collect a blacklist of email senders that should be ignored when collecting emails from the victim.|
|mode=newD&d=[data]||Add a domain to the list of all domains seen by the victim.|
|mode=attach&name=[data]&idx=[data]&body=[data]||Upload a new attachment to the remote server.|
|mode = new and middle =[data]&body=[data]||Upload Gmail data to remote server.|
|mode=athletic list||Commented by the attacker; receive a list of attachments to be exfiltrated.|
|mode=new_aol&mid=[data]&body=[data]||Upload AOL data to remote server.|
SHARPEXT allows hackers to create lists of email addresses to ignore and track emails or attachments that have already been stolen.
Volexity created the following summary of the orchestration of the various SHARPEXT components that it analyzed:
The blog post provides images, file names, and other indicators that trained individuals can use to determine if they have been attacked or infected by this malware. The company warned that the threat it poses has grown over time and is not likely to go away any time soon.
“When Volexity first encountered SHARPEXT, it appeared to be an early development tool containing numerous bugs, an indication that the tool was immature,” the company said. “The latest updates and ongoing maintenance show that the attacker is achieving their goals and finds value in continuing to refine it.”