IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

North Korean-linked Gmail spyware 'SHARPEXT' harvesting sensitive email content

The insidious software exfiltrates all mail and attachments, researchers warn, putting sensitive documents at risk

A digital render of a red envelope hovering above a blocky grey surface

A malicious browser extension linked to North Korea has been operating undetected to steal data from Gmail and AOL sessions.

The extension, dubbed ‘SHARPEXT’ by researchers, monitors webpages to automatically parse any and all emails and attachments from victims' mailboxes.  

It poses a particularly serious threat to machines used by organisations for business operations, as all sensitive information sent via email has the potential to be stolen. Targets have so far been identified within the US, EU and South Korea.

Cyber security firm Volexity revealed the spyware's existence in a blog post, and linked it to a threat actor tracked by Volexity operating under the name SharpTongue, but known publicly as Kimsuky. This entity is believed to be North Korean in origin, and the researchers have linked SharpTongue to attacks on targets linked to national security.

ArsTechnica reports Volexity president Steven Adair as stating that SHARPEXT is installed through “spear phishing and social engineering where the victim is fooled into opening a malicious document”. Phishing is a common vector used to deliver malicious programmes, such as LockBit 2.0 which has been distributed by email disguised as PDFs.

To lay the groundwork for the extension, the threat actor manually exfiltrates files such as the user’s preferences and secure preferences. These are changed to include exceptions for the malicious extension and then downloaded back onto the infected machine through the malware’s command and control (C2) infrastructure.

Once the original files have been switched for these copies, SHARPEXT is loaded directly from the victim’s appdata folder. Once active, the extension executes code directly from the C2 server, which has the benefit of preventing antivirus software from discovering malicious code within the extension itself.

Additionally, running code in this way allows the threat actor to regularly update the code without having to reinstall newer versions of the extension onto infected systems. Indeed, the extension is currently in its third iteration, with previous versions more limited in their browser and mail client compatibility. 

At present, SHARPEXT supports Google Chrome and Microsoft Edge, as well as a browser called Whale that's reasonably popular in South Korea but not in other countries.

The extension only activates when a Chromium browser is running, and utilises listeners to monitor activity to ensure that only email data is stolen. Global variables track the emails, email addresses and attachments that have already been exfiltrated, so as to prevent unnecessary duplication of data.

In addition to its exfiltration functions, the extension deploys a Powershell script that constantly checks for compatible browser processes, and if found runs a keystroke script that opens the DevTools panel. 

Simultaneously, another script works to hide the DevTools window, and anything that could make the victim suspicious, such as Edge’s warning that an extension is running in developer mode.

Volexity has advised security teams within organisations to review extensions regularly, especially those installed on machines connected to highly-sensitive information.

IT Pro has approached Volexity for comment

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

13 Jul 2022
How to delete a Gmail account
email providers

How to delete a Gmail account

15 Jun 2022
How to share your Google Calendar
email providers

How to share your Google Calendar

11 Feb 2022
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
UK water supplier confirms hack by Cl0p ransomware gang
ransomware

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022