North Korean-linked Gmail spyware 'SHARPEXT' harvesting sensitive email content
The insidious software exfiltrates all mail and attachments, researchers warn, putting sensitive documents at risk
A malicious browser extension linked to North Korea has been operating undetected to steal data from Gmail and AOL sessions.
The extension, dubbed ‘SHARPEXT’ by researchers, monitors webpages to automatically parse any and all emails and attachments from victims' mailboxes.
It poses a particularly serious threat to machines used by organisations for business operations, as all sensitive information sent via email has the potential to be stolen. Targets have so far been identified within the US, EU and South Korea.
Cyber security firm Volexity revealed the spyware's existence in a blog post, and linked it to a threat actor tracked by Volexity operating under the name SharpTongue, but known publicly as Kimsuky. This entity is believed to be North Korean in origin, and the researchers have linked SharpTongue to attacks on targets linked to national security.
ArsTechnica reports Volexity president Steven Adair as stating that SHARPEXT is installed through “spear phishing and social engineering where the victim is fooled into opening a malicious document”. Phishing is a common vector used to deliver malicious programmes, such as LockBit 2.0 which has been distributed by email disguised as PDFs.
To lay the groundwork for the extension, the threat actor manually exfiltrates files such as the user’s preferences and secure preferences. These are changed to include exceptions for the malicious extension and then downloaded back onto the infected machine through the malware’s command and control (C2) infrastructure.
Once the original files have been switched for these copies, SHARPEXT is loaded directly from the victim’s appdata folder. Once active, the extension executes code directly from the C2 server, which has the benefit of preventing antivirus software from discovering malicious code within the extension itself.
Additionally, running code in this way allows the threat actor to regularly update the code without having to reinstall newer versions of the extension onto infected systems. Indeed, the extension is currently in its third iteration, with previous versions more limited in their browser and mail client compatibility.
The extension only activates when a Chromium browser is running, and utilises listeners to monitor activity to ensure that only email data is stolen. Global variables track the emails, email addresses and attachments that have already been exfiltrated, so as to prevent unnecessary duplication of data.
In addition to its exfiltration functions, the extension deploys a Powershell script that constantly checks for compatible browser processes, and if found runs a keystroke script that opens the DevTools panel.
Simultaneously, another script works to hide the DevTools window, and anything that could make the victim suspicious, such as Edge’s warning that an extension is running in developer mode.
Volexity has advised security teams within organisations to review extensions regularly, especially those installed on machines connected to highly-sensitive information.
IT Pro has approached Volexity for comment
The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks
Business benefits and cost savings enabled by IBM Turbonomic Application Resource ManagementFree Download
The Total Economic Impact™ of IBM Watson Assistant
Cost savings and business benefits enabled by Watson AssistantFree Download
The field guide to application modernisation
Moving forward with your enterprise application portfolioFree Download
AI for customer service
Discover the industry-leading AI platform that customers and employees want to useFree Download