North Korean-backed hackers have a intelligent option to learn your Gmail.

Getty Images

Researchers have uncovered a never-before-seen malware used by North Korean hackers to secretly read and download emails. emails and attachments from infected users’ Gmail and AOL accounts.

The malware, dubbed SHARPEXT by researchers at security firm Volexity, uses clever tools to install a browser extension on Chrome and Edge browsers, Volexity said. blog article. The extension cannot be detected by email. email services, and since the browser has already been authenticated with any multi-factor authentication protections, this increasingly popular security measure has no role in containing account compromise.

The malware has been in use for “well over a year,” Volexity said, and is the work of a hacking group the company identifies as SharpTongue. The group is backed by the North Korean government and coincides with a the group is tracked as Kimsuky other researchers. SHARPEXT targets organizations in the US, Europe and South Korea that work on nuclear weapons and other issues that North Korea considers important to its national security.

Steven Adair, president of Volexity, said in an email. said in the letter that the extension is installed “using phishing and social engineering, where the victim is tricked into opening a malicious document.” In the past, we’ve seen DPRK threat actors launch phishing spears designed to trick a victim into installing a browser extension, rather than using it as an exploit mechanism for persistence and data theft. The malware currently only works on Windows, but Adair said there’s no reason why it can’t be expanded to infect browsers running MacOS or Linux.

The blog post added: “Volexity’s own visibility indicates that the extension was quite successful, as logs obtained by Volexity show that the attacker was able to successfully steal thousands of emails.” emails from multiple victims after installing the malware.

Installing a browser extension during a phishing operation without the end user noticing is not easy. The developers of SHARPEXT clearly paid attention to research such as the one published here, hereand here, which shows how the Chromium browser engine’s security mechanism prevents malware from changing sensitive user settings. Every time a legitimate change is made, the browser grabs a cryptographic hash of a given code. At startup, the browser checks the hashes, and if any of them do not match, the browser asks to restore the old settings.

In order for attackers to bypass this protection, they must first extract the following from the computer they are compromising.

  • A copy of the resources.pak file from your browser (which contains the HMAC seed used by Chrome)
  • of the user S-ID value
  • The original Preferences and Secure Preferences files from the user’s system

After changing the preference files, SHARPEXT automatically loads the extension and runs a PowerShell script that enables DevTools, a setting that allows the browser to run custom code and settings.

“The script runs in an infinite loop, checking the processes associated with the target browsers,” Volexity explained. “If active target browsers are found, the script checks for a specific keyword in the tab name (for example, ‘05101190’ or ‘Tab+’ depending on the version of SHARPEXT). The specific keyword is inserted into the name of the malicious extension when the active tab changes or when loaded page.


The post continued:

Keystrokes sent are equivalent Control+Shift+J, a shortcut to enable the DevTools panel. Finally, the PowerShell script hides the newly opened DevTools window using ShowWindow() API and SW_HIDE the flag At the end of this process, DevTools is enabled in the active tab, but the window is hidden.

Also, this script is used to hide any windows that could alert the victim. For example, Microsoft Edge periodically displays a warning message to the user (Figure 5) if extensions are running in developer mode. The script constantly checks to see if this window appears and hides it when using it ShowWindow() and SW_HIDE the flag


An installed extension can perform the following requests:

HTTP POST data Description
mode=list Record previously collected emails from the victim. emails to avoid uploading duplicates. This list is continuously updated as SHARPEXT is executed.
mode=domain List the email email domains with which the victim has previously communicated. This list is continuously updated as SHARPEXT is executed.
mode = black Collect e-mail blacklist of mail senders that should be taken into account when collecting e-mails letters from the victim.
mode=newD&d=[data] Add the domain to the list of all domains viewed by the victim.
mode=attach&name=[data]&idx=[data]&body=[data] Upload the new attachment to the remote server.
mode=new&mid=[data]&mbody=[data] Upload your Gmail data to a remote server.
mode=attlist The attacker commented; get a list of attachments to filter out.
mode=new_aol&mid=[data]&mbody=[data] Upload AOL data to a remote server.

SHARPEXT allows hackers to create email lists of email addresses to ignore and track emails that have already been stolen letters or attachments.

Volexity produced the following summary of the orchestration of the various SHARPEXT components analyzed:


The blog post includes images, file names and other indicators that trained people can use to determine if they have been targeted or infected with this malware. The company warned that its threat has grown over time and is likely to disappear soon.

“When Volexity first encountered SHARPEXT, it appeared to be an early development tool with many bugs, indicating that the tool was immature,” the company said. “Recent updates and ongoing maintenance show that the attacker is achieving its goals and continuing to improve.”

Leave a Comment