SHARPEXT is a North Korean malware that targets highly sensitive Western and South Korean organizations. It helps to read emails from Gmail account on popular browsers like Chrome and Edge.
Cybersecurity researchers from the specialized company Volexity have discovered malware actively exploited by hackers from North Korea. Malware allows hackers to read and download account emails and attachments Gmail and AOL.
baptized SHARPEXTthis malware infects machines through extensions for browsers Google Chrome, Microsoft Edge and Whale Browser. This extension is not detected as malicious by targeted messaging platforms and can begin its work as soon as it is installed. So far, the malware only works on Windowsbut it could be extended to Linux and macOS at any time.
Stealth malware that targets Gmail and AOL on Windows
According to the experts behind the identification of SHARPEXT, the malware has been used for more than a year by a group of hackers known as SharpTongue. This one would be supported and financed by North Korea and close to another group of North Korean hackers: Kimsuky.
SHARPEXT specifically targets organizations in the United States, Europe and South Korea working on projects related to nuclear weapons or other areas of interest to North Korea. Since the deployment of the malware, several thousand email addresses have been hacked, estimates Volexity.
The extension installs automatically after opening a compromised document, there is no need for it to be manually downloaded by the victim. The user does not even realize that an extension has installed itself. The hackers manage to thwart the security mechanisms of the Chromium engine by extracting several elements from the infected computer:
- A copy of the browser’s resources.pak file, which contains the HMAC code
- The user’s security identifier
- The original System Preferences and Security Preferences files
Thanks to this, SHARPEXT will be able to download the extension discreetly, execute a PowerShell script to activate DevTools, and execute code. The script is designed to hide warning windows from browsers when an extension is running in developer mode.
Source: Volexity