Google Chrome Extension Used To Steal Emails

Uploaded on 2022-08-02 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Hackers

A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail. 

The extension, named SHARPEXT by Volexity researchers who spotted this campaign in September, supports three Chromium-based web browsers (Chrome, Edge, and Whale) and can steal mail from Gmail and AOL accounts.

The attackers install the malicious extension after compromising a target's system using a custom VBS script by replacing the 'Preferences' and 'Secure Preferences' files with ones downloaded from the malware's command-and-control server.

Once the new preferences files are downloaded on the infected device, the web browser automatically loads the SHARPEXT extension. "The malware directly inspects and exfiltrates data from a victim's webmail account as they browse it," the threat intelligence firm Volexity has disclosed. "Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system."

According to Volexity this campaign aligns with previous Kimsuky attacks as it also deploys the SHARPEXT "in targeted attacks on foreign policy, nuclear and other individuals of strategic interest" in the United States, Europe, and South Korea.

Very Effective Attacks

The hackers use the target's logged-in session to steal emails, the hacker remains unseen by the victim's email provider, thus making detection particularly challenging, if not impossible. The North Korean threat actors can use SHARPEXT to collect a wide range of information using commands that collected emails from the victim to ensure duplicates are not uploaded. This list is continuously updated as SHARPEXT executes hacking exploits.

This is not the first time the N. Korean group has used browser extensions to harvest and exfiltrate confidential data from targets' breached systems. In 2018 researchers at NetScout identified a spear-phishing campaign orchestrated by Kimsuky pushed a malicious Chrome extension in attacks targeting a large number of academic institutions.

The Cybersecurity & Infrastructure Security Agency (CISA) has  issued an Alert focused on the group's tactics, techniques, and procedures (TTPs), highlighting the group's use of malicious browser extensions to steal credentials and cookies from victims' web browsers. “This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky, against worldwide targets, to gain intelligence on various topics of interest to the North Korean government”, says the CISA Alert. 

CISA:        Netscout:    Volexity:     Volexity:    Trendradars:     Stetson:    Masterjitips:    Bleeping Computer

 You Might Also Read: 

Google’s Emergency Update For Chrome:

 

« Mercenary Hacking Group Selling Spyware
Flunking Cyber Education »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Janusnet

Janusnet

Janusnet develops software and solutions for organisations to enforce and manage data security.

Security Innovation

Security Innovation

Security Innovation is a leader in software security assessments and application security training to top organizations worldwide.

Altius IT

Altius IT

Altius IT reviews your website for security vulnerabilities and provides a report identifying vulnerabilities and recommendations to make secure.

IronScales

IronScales

IronScales combines human intelligence with machine learning to automatically prevent, detect and respond to email phishing attacks.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

Norwegian Information Security laboratory (NISlab)

Norwegian Information Security laboratory (NISlab)

NISlab conducts international competitive research in information and cyber security and operates study programs in this area.

ECS

ECS

ECS is a leading information technology provider delivering cloud, cybersecurity, software development, IT modernization, and advanced science and engineering services.

NTIC Cyber Center

NTIC Cyber Center

NTIC Cyber Center is an organization dedicated to making the National Capital Region (Washington DC) more resilient to cyber-attacks.

Banshie

Banshie

Banshie is an independent cyber security company with a small team of recognized specialist that are among the best in their field.

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF) of Armenia is one of the largest technology business incubators and IT development agencies in the region.

Network Intelligence

Network Intelligence

Network Intelligence delivers a comprehensive suite of AI-powered cybersecurity solutions built on the ADVISE framework.

CENSUS

CENSUS

CENSUS is a Cybersecurity services provider offering services to multiple industries worldwide such as Security Testing, Code Auditing, Secure SDLC, Vulnerability Research and Consulting Services.

Silk Security

Silk Security

Silk is the first platform that enables enterprises to take a strategic, sustainable approach to resolving code, infrastructure and application risk.

Cypago

Cypago

Cypago provides a powerful yet easy-to-use Compliance Orchestration Platform to automate the compliance process end-to-end.

WireGuard

WireGuard

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs).

Data Computer Services

Data Computer Services

Data Computer Services provides professional tailored IT Support and IT Services for businesses throughout Edinburgh and the Lothians.