Researchers have discovered unprecedented malware that North Korean hackers used to surreptitiously read and download email and attachments from infected users’ Gmail and AOL accounts.
The malware, which researchers from security firm Volexity have dubbed SHARPEXT, uses clever means to install a browser extension for Chrome and Edge browsers, Volexity said in a blog post. The extension cannot be detected by email services, and since the browser is already authenticated with any multi-factor authentication protections in place, this increasingly common security measure plays no role in curbing account hacking.
Volexity said the malware has been in use for “more than a year,” and is the work of a hacking group that the company is tracking with the name SharpTongue. The group is backed by the North Korean government and overlaps with a group that other researchers track by the name Kimsuke. SHARPEXT targets organizations in the United States, Europe, and South Korea that work on nuclear weapons and other issues that North Korea considers important to its national security.
Volexity chief Stephen Adair said in an email that the extension is installed “by phishing and social engineering where a victim is tricked into opening a malicious document. We’ve previously seen threat actors from the Democratic People’s Republic of Korea launch spear phishing attacks where they were The whole goal is to get the victim to install a browser extension in exchange for it being a post-exploit mechanism for persistence and data theft.” In its current incarnation, the malware only works on Windows, but Adair said there’s no reason it can’t be extended to infect browsers running on macOS or Linux as well.
The blog post added: “Volexity’s own insight shows that the extension has been very successful, with records obtained by Volexity showing that the attacker successfully managed to steal thousands of emails from multiple victims by spreading malware.”
It is not easy to install a browser extension during the phishing process without the end user noticing. Apparently the developers of SHARPEXT have taken care of research like what’s posted here, here, and here, which shows how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Every time a legitimate change is made, the browser takes a cryptographic hash of some code. On startup, the browser checks for hashes, and if none of them match, the browser asks to restore the old settings.
In order for attackers to get around this protection, they must first extract the following from the computer they are at risk:
- A copy of the resources.pak file from your browser (which contains the HMAC seed used by Chrome)
- User S-ID value
- Preference files and native secure preferences from the user’s system
After the preference files are modified, SHARPEXT automatically loads the extension and executes a PowerShell script that enables DevTools, a setting that allows the browser to run custom code and settings.
Volexity explained: “The script runs in an infinite loop to check the processes associated with the target browsers”. If any running target browsers are found, the script checks the tab title for a specific keyword (eg ‘05101190’ or ‘Tab +’ depending on the SHARPEXT version). The specified keyword is entered into the address by the malware. The extension is when an active tab changes or when the page is loaded.”
Follow the post:
Keystrokes sent equal
Control+Shift+J, the shortcut to enable the DevTools panel. Finally, the PowerShell script hides the newly opened DevTools window using the ShowWindow() API and
SW_HIDEmedia. At the end of this process, DevTools is enabled in the active tab, but the window is hidden.
In addition, this script is used to hide any windows that could alert the victim. Microsoft Edge, for example, periodically displays a warning message to the user (Fig. 5) if extensions are running in developer mode. The script constantly checks if this window appears and hides it with a file
Once installed, the extension can perform the following requests:
|HTTP POST data||a description|
|mode = menu||List the email previously collected from the victim to ensure that duplicates are not downloaded. This list is constantly updated when SHARPEXT is executed.|
|mode = field||List the email domains the victim has already contacted. This list is constantly updated when SHARPEXT is executed.|
|fashion = black||Collect a blacklist of email senders to ignore when collecting email from the victim.|
|mode = newD & d =[data]||Add a domain to the list of all domains the victim has viewed.|
|mode = attach & name =[data]& id =[data]& body =[data]||Upload a new attachment to the remote server.|
|mode = new & mid =[data]& mbody =[data]||Upload Gmail data to the remote server.|
|mode = atleast||The attacker commented. Receive a list of attachments to be leaked.|
|mode = new_aol & mid =[data]& mbody =[data]||Upload AOL data to the remote server.|
SHARPEXT allows hackers to create lists of email addresses to ignore and track email or attachments that have already been stolen.
Volexity generated the following summary of the synchronization of the various SHARPEXT components he analyzed:
The blog post provides images, file names, and other indicators that trained people can use to determine if they have been targeted or infected by this malware. The company warned that the threat it posed has grown over time and is unlikely to disappear any time soon.
“When Volexity first encountered SHARPEXT, it appeared to be a tool in early development that contained many bugs, which is an indication that the tool was immature,” the company said. “Recent updates and ongoing maintenance show that the attacker is achieving their goals, and finding value in continuing to improve them.”