Kimsuky, a North Korean hacker group is believed to be hacking the major web browsers with the help of a malicious browser extension, which intercepts and steals emails.
Researchers at Volexity, who was the first to spot this campaign back in September, named the extension SHARPEXT. There are three different Chromium-based web browsers that this malicious extension is compatible with:-
- Google Chrome
- Microsoft Edge
Moreover, this malicious extension can also steal email from the accounts of Gmail and AOL users. As a result of using a custom VBS script to compromise a target’s system, attackers then install this malicious extension on the system.
In order to accomplish this, they replace two types of files that we have mentioned below with the files that were downloaded from the malware’s C2 server:-
- Preferences files
- Secure Preferences files
In addition to this latest campaign, Kimsuky has also launched similar campaigns in the following countries in which the SHARPEXT has been deployed:-
- The United States
- South Korea
This attack can remain undetected as long as the victim’s email provider is not aware that the attacker uses the already-logged-in session of the target to steal emails.
As a result, it becomes extremely difficult to detect it in this way. A suspicious activity alert won’t be triggered on the accounts of victims as a result of the extension’s workflow.
If you check the webmail account status page for alerts, you will not be able to discover the malicious activity, since the alerts will not be visible.
Illicit Capabilities and Data Collected
There is a wide range of information that could be gathered by North Korean threat actors using SHARPEXT. Here below we have mentioned them:-
- Make a list of all the emails that have been collected previously from the victim.
- List email domains with which the victim has previously communicated.
- Collect a blacklist of email senders.
- Add a domain to the list of all domains viewed by the victim.
- Upload a new attachment to the remote server.
- Upload Gmail data to the remote server.
- Commented by the attacker; receive an attachments list to be exfiltrated.
- Upload AOL data to the remote server.
Here below we have mentioned all the recommended mitigations:-
- Enable PowerShell ScriptBlock logging.
- Analyze the results of PowerShell ScriptBlock logging.
- Ensure that all extensions installed on machines of high-risk users are reviewed.
- For the detection of related activity, you can use the YARA rules.
- IOCs given should be blocked.