Researchers have discovered never-before-seen malware that North Korean hackers used to secretly read and download emails and attachments from infected users’ Gmail and AOL accounts.
The malware, dubbed SHARPEXT by researchers at security firm Volexity, uses clever means to install a browser extension for Chrome and Edge browsers, Volexity reported in a blog post. The extension cannot be detected by email services, and since the browser has already been authenticated using existing multi-factor authentication protections, this increasingly popular security measure plays no part in mitigating account compromise.
The malware has been in use for “well over a year,” according to Volexity, and is the work of a hacker group tracking the company as SharpTongue. The group is sponsored by the North Korean government and overlaps with a group being tracked by researchers other than Kimsuky. SHARPEXT is aimed at organizations in the US, Europe and South Korea working on nuclear weapons and other issues North Korea deems important to its national security.
Volexity President Steven Adair said in an email that the extension “is installed through spear phishing and social engineering, where the victim is tricked into opening a malicious document. Trick the victim into installing a browser extension to install, rather than being a post-exploit mechanism for persistence and data theft.” In its current version, the malware only works on Windows, but Adair said there’s no reason why it can’t also work on browsers running macOS or Linux can be expanded.
The blog post added, “Volexity’s own visibility shows that the extension was quite successful, as logs obtained from Volexity show that by deploying the malware, the attacker was able to successfully steal thousands of emails from multiple victims.”
Installing a browser extension during a phishing operation without the end user noticing is not easy. The SHARPEXT developers have clearly paid attention to research like the ones published here, here and here that show how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Every time a legitimate change is made, the browser takes a cryptographic hash of a piece of code. At startup, the browser checks the hashes, and if any of them don’t match, the browser asks to restore the old settings.
In order for attackers to bypass this protection, they must first extract the following from the computer they are compromising:
- A copy of the resources.pak file from the browser (which contains the HMAC seed used by Chrome)
- The user’s S-ID value
- The original Preferences and Secure Preferences files from the user’s system
After modifying the settings files, SHARPEXT automatically loads the extension and runs a PowerShell script that enables DevTools, a setting that allows the browser to run custom code and settings.
“The script runs in an infinite loop, looking for processes associated with the target browsers,” explained Volexity. “When it finds that targeted browsers are running, the script checks the title of the tab for a specific keyword (e.g. ‘05101190’ or ‘Tab+’ depending on the SHARPEXT version). The specific keyword is inserted by the attacker into the title extension when an active tab changes or when a page loads.”
The post continued:
The keystrokes sent are equivalent to
Control+Shift+J, the shortcut to enable the DevTools pane. Finally, the PowerShell script hides the newly opened DevTools window using the ShowWindow() API and the
SW_HIDEFlag. At the end of this process, DevTools is enabled on the active tab, but the window is hidden.
Furthermore, this script is used to hide all windows that might warn the victim. Microsoft Edge, for example, regularly displays a warning message to the user (Figure 5) when extensions are running in developer mode. The script constantly checks whether this window appears and also hides it
Once installed, the extension can perform the following requests:
|HTTP POST data||description|
|mode=list||List previously collected emails from the victim to ensure no duplicates are uploaded. This list is continuously updated when SHARPEXT is running.|
|mode=domain||List email domains that the victim has previously communicated with. This list is continuously updated when SHARPEXT is running.|
|mode = black||Collect blacklist of email senders who should be ignored while collecting emails from victim.|
|mode=newD&d=[data]||Add a domain to the list of all domains viewed by the victim.|
|mode=attach&name=[data]&idx=[data]&body=[data]||Upload a new attachment to the remote server.|
|mode=new&mid=[data]&mbody=[data]||Upload Gmail data to the remote server.|
|mode=attlist||Annotated by attacker; receive an attachment list to be exfiltrated.|
|mode=new_aol&mid=[data]&mbody=[data]||Upload AOL data to the remote server.|
With SHARPEXT, hackers can create lists of email addresses to ignore and track emails or attachments that have already been stolen.
Volexity created the following summary of the orchestration of the various analyzed SHARPEXT components:
The blog post contains images, file names, and other indicators that trained people can use to determine if they have been attacked or infected by this malware. The company warned that the threat it poses has grown over time and is unlikely to go away anytime soon.
“When Volexity first encountered SHARPEXT, it appeared to be a tool in early development that contained numerous bugs, an indication that the tool was immature,” the company said. “The latest updates and ongoing maintenance show that the attacker is achieving its goals and sees value in refining it further.”