September 18, 2022
North Korean Hackers, YT Trending - Latest Technology News

North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts

A malicious plugin that may steal email content from Gmail and AOL has been made available on Chrome-based web browsers by a threat actor with ties to North Korea.

The virus was ascribed by the cybersecurity company Volexity to an activity cluster called SharpTongue, which it claims overlaps with an adversarial collective known in the public as Kimsuky.

North Korean Hackers, YT Trending - Latest Technology News
North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts

Researchers Paul Rascagneres and Thomas Lancaster found that SharpTongue frequently targets out people working for institutions in the US, Europe, and South Korea who “work on topics concerning North Korea, nuclear concerns, weapons systems, and other areas of strategic interest to North Korea.”

Read more: Russian Hackers From Evil Corp. Are Connected To The Raspberry Robin USB Worm by Microsoft.

It’s not new for Kimsuky to employ rogue extensions in his attacks. A Chrome plugin was used by the attacker in 2018 as part of the Stolen Pencil campaign to infect users and steal browser cookies and passwords.

However, the most recent spy operation differs in that it makes use of the extension Sharpext to steal email information. The researchers noted that “as a victim browses their webmail account, the malware directly inspects and exfiltrates data from it.”

Read more: Numerous Android Apps on The Google Play Store Have Been Discovered To Drop Banking Malware.

The mail-theft software is intended to collect data from Gmail and AOL sessions, and it targets browsers including Google Chrome, Microsoft Edge, and Naver’s Whale.

After successfully breaking a target Windows machine, the add-on is installed by changing the browser’s Preferences and Secure Preferences files with ones from a remote server.

North Korean Hackers, YT Trending - Latest Technology News
North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts

This is done by allowing the DevTools panel under the active tab to steal emails and attachments from a user’s mailbox and taking efforts to hide any warnings about running developer mode extensions.

According to Volexity, the campaign was “very successful,” stating the attacker’s ability to “steal thousands of emails from many victims through the malware’s deployment.”

The researchers noted that this was the first instance in which Volexity had seen harmful browser extensions being used as part of a compromise’s post-exploitation phase. The attack is hidden from the email provider by taking place during a user’s already-logged-in session, which makes detection very difficult.

The findings come months after the Kimsuky actor was linked to intrusions into political institutions in Russia and South Korea in order to deliver an updated version of the Konni remote access trojan.

Then, last week, cyber security company Securonix revealed an ongoing series of attacks exploiting high-value targets, including the Czech Republic, Poland, and other nations, as part of a campaign codenamed STIFF#BIZON to spread the Konni malware.

The intrusions were carried out by a North Korean hacking group known as APT37, but information gathered about the attack infrastructure points to the involvement of the Russia-aligned APT28 (also known as Fancy Bear or Sofacy) actor.

The use of Konni malware in conjunction with tradecraft resemblances to APT28, according to the researchers, is what makes this particular case interesting. They added it may be a case of one group impersonating another to muddle attribution and avoid detection.

Read more: 

Russian Hackers From Evil Corp. Are Connected To The Raspberry Robin USB Worm by Microsoft.

Numerous Android Apps on The Google Play Store Have Been Discovered To Drop Banking Malware.

1 thought on “North Korean Hackers Spy on Email Accounts Using a Malicious Browser Extension.

Leave a Reply

Your email address will not be published.