US security company Volexity has released information about a new hacking method that North Korea’s government-sponsored hacker group SharpTongue is working on . The new malware, called SHARPEXT, uses browser extensions to steal the contents of Gmail and AOL emails.
In fact, this malware is not new, and attacks began in September 2021 when it was discovered, and it has already been updated to version 3.0 due to continuous improvements. Initially, it was only for Google Chrome, but the latest version supports attacking three other browsers in addition to Chrome: Microsoft Edge and Naver Whale. All are Chromium-based.
Before deploying SHARPEXT, the attacker has the files necessary to install the extension from an infected computer: a copy of the browser’s resources.pak file, the value of the user SID, the original Preferences and Secure Preferences on the user’s system. files). Get these in advance to bypass browser security.
Use the collected files to create new Secure Preferences and Preferences files that the browser will accept upon deployment. Once the modified Preferences file is in place, the browser will automatically load the malicious extension located in the folder.
SHARPEXT is a PowerShell script that activates DevTools and checks the processes associated with the victim’s browser in an infinite loop. The PowerShell script is clever in that it hides the DevTools and windows that warn the victim, making it difficult for the victim to notice the attack.
Once installed, a malicious browser extension can make requests such as uploading Gmail or AOL data to a remote server. This includes options such as the ability to create a list of email addresses to ignore, the ability to create a list of already stolen email addresses, and the ability to create a list of monitored tabs to prevent duplication of stolen data.