Researchers have unearthed never-before-seen malware that North Korean hackers have used to covertly read and download email and attachments from Gmail and AOL accounts of infected users.
The malware, dubbed SHARPEXT by researchers at security firm Volexity, uses clever means to install a browser extension for the Chrome and Edge browsers, Volexity reports in a blog post. The extension cannot be detected by the email services, and since the browser is already authenticated using multi-factor authentication protections, this increasingly popular security measure plays no role in mitigating the account compromise.
The malware has been in use for “more than a year,” Volexity said, and is the work of a hacking group the company follows as SharpTongue. The group is sponsored by the government of North Korea and overlaps with a group followed by other researchers like Kimsuky. SHARPEXT targets organizations in the US, Europe and South Korea working on nuclear weapons and other issues North Korea considers important to its national security.
Volexity president Steven Adair said in an email that the extension is being installed “through spear phishing and social engineering where the victim is fooled into opening a malicious document. Let the victim install a browser extension instead of a post-exploitation mechanism for persistence and data theft.” As it stands, the malware only works on Windows, but according to Adair, there’s no reason why it couldn’t be expanded to infect browsers on macOS or Linux as well.
The blog post added: “Volexity’s own visibility shows that the extension has been quite successful, as logs obtained by Volexity show that the attacker was able to steal thousands of emails from multiple victims through the implementation of the malware.”
Installing a browser extension during a phishing operation without the end user noticing is not easy. SHARPEXT developers have clearly paid attention to research like what has been published here, here and here that shows how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Each time a legitimate change is made, the browser takes a cryptographic hash of a portion of the code. At startup, the browser verifies the hashes, and if any of them don’t match, the browser asks to restore the old settings.
To bypass this protection, attackers must first extract the following from the computer they are compromising:
- A copy of the resources.pak file from the browser (which contains the HMAC seed used by Chrome)
- The user’s S-ID value
- The original preferences files and secure preferences of the user’s system
After changing the preference files, SHARPEXT automatically loads the extension and runs a PowerShell script that enables DevTools, a setting that allows the browser to execute custom code and settings.
“The script runs in an infinite loop, checking for processes associated with the target browsers,” explains Volexity. “If targeted browsers are actively found, the script checks the title of the tab for a specific keyword (for example, ‘05101190’ or ‘Tab+’, depending on the SHARPEXT version). The specific keyword is inserted into the title by the attacker. extension when an active tab changes or when a page loads.”
The message continued:
The keystrokes sent are equal to:
Control+Shift+J
, the shortcut to enable the DevTools panel. Finally, the PowerShell script hides the newly opened DevTools window using the ShowWindow() API and theSW_HIDE
flag. At the end of this process, DevTools is enabled on the active tab, but the window is hidden.In addition, this script is used to hide windows that could warn the victim. For example, Microsoft Edge periodically issues a warning message to the user (Figure 5) when extensions are run in developer mode. The script constantly checks if this window appears and hides it using the
ShowWindow()
and theSW_HIDE
flag.
Once installed, the extension can perform the following requests:
HTTP POST data | Description |
mode=list | List the victim’s previously collected email to ensure no duplicates are uploaded. This list is continuously updated while SHARPEXT is running. |
mode=domain | List the email domains the victim has previously communicated with. This list is continuously updated while SHARPEXT is running. |
mode = black | Collect a blacklist of email senders that should be ignored when collecting email from the victim. |
fashion=newD&d=[data] | Add a domain to the list of all domains the victim has viewed. |
mode=attach&name=[data]&idx=[data]&body=[data] | Upload a new attachment to the remote server. |
mode=new&mid=[data]&mbody=[data] | Upload Gmail data to the remote server. |
mode=attlist | Commented by the attacker; get an attachment list to be exfiltrated. |
mode=new_aol&mid=[data]&mbody=[data] | Upload AOL data to the remote server. |
SHARPEXT allows the hackers to create lists of email addresses that they can ignore and keep track of email or attachments that have already been stolen.
Volexity made the following summary of the orchestration of the various SHARPEXT components it analyzed:
The blog post contains images, file names and other indicators that trained people can use to determine whether they are targeted or infected by this malware. The company warned that the threat it poses has grown over time and is unlikely to go away anytime soon.
“When Volexity first met SHARPEXT, it appeared to be an early development tool that had numerous bugs, an indication that the tool was immature,” the company said. “The latest updates and ongoing maintenance show that the attacker is achieving their goals and finding value in further refining them.”