Google Chrome Extension Used To Steal Emails

Uploaded on 2022-08-02 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Hackers

A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail. 

The extension, named SHARPEXT by Volexity researchers who spotted this campaign in September, supports three Chromium-based web browsers (Chrome, Edge, and Whale) and can steal mail from Gmail and AOL accounts.

The attackers install the malicious extension after compromising a target's system using a custom VBS script by replacing the 'Preferences' and 'Secure Preferences' files with ones downloaded from the malware's command-and-control server.

Once the new preferences files are downloaded on the infected device, the web browser automatically loads the SHARPEXT extension. "The malware directly inspects and exfiltrates data from a victim's webmail account as they browse it," the threat intelligence firm Volexity has disclosed. "Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system."

According to Volexity this campaign aligns with previous Kimsuky attacks as it also deploys the SHARPEXT "in targeted attacks on foreign policy, nuclear and other individuals of strategic interest" in the United States, Europe, and South Korea.

Very Effective Attacks

The hackers use the target's logged-in session to steal emails, the hacker remains unseen by the victim's email provider, thus making detection particularly challenging, if not impossible. The North Korean threat actors can use SHARPEXT to collect a wide range of information using commands that collected emails from the victim to ensure duplicates are not uploaded. This list is continuously updated as SHARPEXT executes hacking exploits.

This is not the first time the N. Korean group has used browser extensions to harvest and exfiltrate confidential data from targets' breached systems. In 2018 researchers at NetScout identified a spear-phishing campaign orchestrated by Kimsuky pushed a malicious Chrome extension in attacks targeting a large number of academic institutions.

The Cybersecurity & Infrastructure Security Agency (CISA) has  issued an Alert focused on the group's tactics, techniques, and procedures (TTPs), highlighting the group's use of malicious browser extensions to steal credentials and cookies from victims' web browsers. “This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky, against worldwide targets, to gain intelligence on various topics of interest to the North Korean government”, says the CISA Alert. 

CISA:        Netscout:    Volexity:     Volexity:    Trendradars:     Stetson:    Masterjitips:    Bleeping Computer

 You Might Also Read: 

Google’s Emergency Update For Chrome:

 

« Mercenary Hacking Group Selling Spyware
Flunking Cyber Education »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

HackerOne

HackerOne

HackerOne was started by hackers and security leaders who are driven by a passion to make the internet safer.

ESET

ESET

ESET provide security software for enterprises and consumers - Antivirus Software, Internet Security and Virus Protection.

a1qa

a1qa

a1qa specializes in the delivery of full-cycle software QA and application testing services.

aeCERT

aeCERT

aeCERT is the national Computer Emergency Response Team for the United Arab Emirates.

IDpendant

IDpendant

IDpendant offers a wide range of services, including authentication technology, client security products, single sign on systems, encryption solutions, card and mobile device management systems.

National Cybersecurity Institute (NCI) - Excelsior College

National Cybersecurity Institute (NCI) - Excelsior College

NCI is Excelsior College’s research center dedicated to assisting government, industry, military and academic sectors meet the challenges in cybersecurity policy, technology and education.

Blockchain Solutions

Blockchain Solutions

Blockchain Solutions Limited is a technological One Stop Solution provider, for Blockchain technology.

White Bullet

White Bullet

White Bullet’s risk profiling AI detects, dynamically scores and flags unsafe domains, apps and advertising.

Gula Tech Adventures

Gula Tech Adventures

Gula Tech Adventures invests in companies and nonprofits that help close the gap in needed technology and workforce to defend the country in cyberspace.

Toothpic

Toothpic

ToothPic has invented, designed, developed and patented a solution to enable companies to turn every smartphone into a secure key for a user-friendly online authentication.

ID North

ID North

ID North is a Nordic service provider offering identity security to its customers by providing world class expertise and best-in-class solutions and services.

Probity

Probity

Probity Inc. is a certified software development and systems engineering company, providing support to federal government and national defense related clients.

Brightside AI

Brightside AI

Brightside AI is a Swiss cybersecurity SaaS that helps teams combat AI-enabled phishing threats. Protect your team today.

Venticento

Venticento

Venticento is an IT company specialized in consulting and network support and assistance for companies that need to make their business processes more effective.

Driven Technologies

Driven Technologies

Driven is a cloud native service provider transforming the way companies leverage technology to improve business by securing, modernizing, and connecting applications, users, and data.

VirtualMetric

VirtualMetric

VirtualMetric delivers performance-driven IT monitoring and log management solutions that simplify complex environments.