Google Chrome Extension Used To Steal Emails

Uploaded on 2022-08-02 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Hackers

A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail. 

The extension, named SHARPEXT by Volexity researchers who spotted this campaign in September, supports three Chromium-based web browsers (Chrome, Edge, and Whale) and can steal mail from Gmail and AOL accounts.

The attackers install the malicious extension after compromising a target's system using a custom VBS script by replacing the 'Preferences' and 'Secure Preferences' files with ones downloaded from the malware's command-and-control server.

Once the new preferences files are downloaded on the infected device, the web browser automatically loads the SHARPEXT extension. "The malware directly inspects and exfiltrates data from a victim's webmail account as they browse it," the threat intelligence firm Volexity has disclosed. "Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system."

According to Volexity this campaign aligns with previous Kimsuky attacks as it also deploys the SHARPEXT "in targeted attacks on foreign policy, nuclear and other individuals of strategic interest" in the United States, Europe, and South Korea.

Very Effective Attacks

The hackers use the target's logged-in session to steal emails, the hacker remains unseen by the victim's email provider, thus making detection particularly challenging, if not impossible. The North Korean threat actors can use SHARPEXT to collect a wide range of information using commands that collected emails from the victim to ensure duplicates are not uploaded. This list is continuously updated as SHARPEXT executes hacking exploits.

This is not the first time the N. Korean group has used browser extensions to harvest and exfiltrate confidential data from targets' breached systems. In 2018 researchers at NetScout identified a spear-phishing campaign orchestrated by Kimsuky pushed a malicious Chrome extension in attacks targeting a large number of academic institutions.

The Cybersecurity & Infrastructure Security Agency (CISA) has  issued an Alert focused on the group's tactics, techniques, and procedures (TTPs), highlighting the group's use of malicious browser extensions to steal credentials and cookies from victims' web browsers. “This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky, against worldwide targets, to gain intelligence on various topics of interest to the North Korean government”, says the CISA Alert. 

CISA:        Netscout:    Volexity:     Volexity:    Trendradars:     Stetson:    Masterjitips:    Bleeping Computer

 You Might Also Read: 

Google’s Emergency Update For Chrome:

 

« Mercenary Hacking Group Selling Spyware
Flunking Cyber Education »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Qualitèsoft Technology

Qualitèsoft Technology

Qualitèsoft Technology is a leading Software Development and Quality Assurance organization. We specialize in Custom Development, Mobile Application, Software Testing and Quality Assurance.

Softtek

Softtek

Softtek helps its clients to gain a competitive edge by implementing digital solutions that propel their business strategies.

INSUREtrust

INSUREtrust

INSUREtrust is a pioneer in the industry, inventing the concept of cyber insurance.

Sentia

Sentia

Sentia is an IT and infrastructure firm, with focus on Outsourcing, IT operation and management, Hosting, Co-location, Network, and IT security.

Online Business Systems

Online Business Systems

Online Business Systems is an information technology and business consultancy. We design improved business processes enabled with robust and secure information systems.

Forum of Incident Response & Security Teams (FIRST)

Forum of Incident Response & Security Teams (FIRST)

FIRST is the global Forum of Incident Response and Security Teams.

RISE

RISE

RISE is an independent, State-owned research institute, which offers unique expertise and over 100 testbeds and demonstration environments for future-proof technologies, products and services.

NeuShield

NeuShield

NeuShield is the only anti-ransomware technology that can recover your damaged data from malicious software attacks without a backup.

Early Birds

Early Birds

Early Birds is a Business to Business (B2B) marketplace for Innovators (Startups/Scaleups) and Early Adopters to exchange value early on.

Netsurion

Netsurion

Netsurion powers secure and agile networks for highly distributed and small-to-medium enterprises and the IT providers that serve them.

Blumira

Blumira

Blumira provides comprehensive, hybrid cloud security monitoring and reporting for organizations of all sizes, enabling them to detect and respond to cloud security threats quickly and effectively.

SessionGuardian

SessionGuardian

SessionGuardian (formerly SecureReview) is the world's first and only technology which ensures second-by-second biometric identity verification of your remote user, from log on to log off.

Navisite

Navisite

Navisite is a combination of eight respected IT consulting and managed service providers that were brought together under the Navisite brand.

Approov

Approov

Approov provides a comprehensive runtime security solution for mobile apps and their APIs, unified across iOS and Android.

Anura

Anura

The world’s most accurate ad fraud solution protects your web assets by eliminating bots, malware and human fraud, ensuring your content is seen by real people.

Cyborg Security

Cyborg Security

Cyborg Security is a team of threat hunters, threat intelligence analysts, and security researchers from across North America.