Researchers have discovered new malware that North Korean hackers have been using to read and download emails and attachments from the accounts of infected users.
Referred to as SHARPEXT by the researchers from Volexity, the security firm, the malware uses intelligent means to install a browser extension into the Edge and Chrome browsers. The email services can’t detect the extension. Because the browser is already authenticated with multifactor authentication protection, this security measure still can’t detect the malware. The extension can’t be found in the Web Store of Google Chrome or in Microsoft’s add-ons page, or other third-party sources. It also doesn’t depend on flaws in Gmail or AOL to be installed.
Volexity reported that the malware has been in use for ‘well over a year’, and appears to be the creation of a hacking group sponsored by North Korea’s government referred to as SharpTongue. SHARPEXT’s target are organizations in South Korea, Europe, and the U.S. that deal with nuclear weapons, and other issues North Korea believes is necessary to its national security.
Steven Adair, Volexity President, stated that the extension is installed ‘by way of spear phishing and social engineering where the victim is fooled into opening a malicious document. Previously, we have seen DPRK threat actors launch spear phishing attacks where the entire objective was to get the victim to install a browser extension vs it being a post-exploitation mechanism for persistence and data theft.’ In its current state, the malware only works on Windows, but Adair believes it could be extended to infect Linux or macOS browsers.
In a blog post, Volexity said, ‘Volexity’s own visibility shows the extension has been quite successful, as logs obtained by Volexity show the attacker was able to successfully steal thousands of emails from multiple victims through the malware’s deployment.’
It isn’t easy to install a browser extension in a phishing operation without the notice of the end-user. Developers of SHARPEXT gave regard to information showing how a security framework in the Chrome browser engine stops malware from altering sensitive user settings. Every time an authorized change is done, the browser takes a cryptographic hash of part of the code. When started up, the browser authenticates the hashes, and if they don’t match, the old settings would be restored.
For the attackers to be successful despite this protection, they need to extract the user’s S-ID value, a copy of the resources.pak file, and the original Preferences and Secure Preferences file.
After the preference files are modified, SHARPEXT loads the extension and implements a PowerShell script allowing DevTools, a setting which enables the browser to run customized settings and code.
‘The script runs in an infinite loop checking for processes associated with the targeted browsers. If any targeted browsers are found running, the script checks the title of the tab for a specific keyword (for example, “05101190,” or “Tab+” depending on the SHARPEXT version). The specific keyword is inserted into the title by the malicious extension when an active tab changes or when a page is loaded,’ Volexity explained.
SHARPEXT enables the attackers create lists of email addresses to ignore, and keeps track of emails and attachments that have already been taken.
After the post was published, a spokesman for Google reiterated that the extension wasn’t hosted on Google servers, and that it was installed as a post-exploit malware after a successful social engineering or phishing attack.
The best ways to prevent these kind of attacks is to use anti-malware services and security-hardened operating systems like ChromeOS.
Volexity in the blog post, provided indicators for trained people to use to determine if they’ve been infected by this malware.
‘When Volexity first encountered SHARPEXT, it seemed to be a tool in early development containing numerous bugs, an indication the tool was immature. The latest updates and ongoing maintenance demonstrate the attacker is achieving its goals, finding value in continuing to refine it,’ Volexity said.
By Marvellous Iwendi.