An alleged North Korean malicious threat group called Kimsuky was seen spreading a malicious browser extension for Microsoft Edge and Google Chrome. This newly discovered campaign aims to steal email content from open AOL and Gmail sessions and substitute browser preference files.
According to the researcher, the malicious extension is named SHARPEXT. The Kimsuky threat group has utilised this extension for about a year and uses it as a post-exploitation kit to establish persistence in the targeted device.
The uniqueness of this extension is it does not steal credentials but exfiltrates data from its victim’s email inboxes. The adversaries install the extension manually via VBS script after the initial intrusion impacts the targeted system.
Kimsuky executes a complex browser installation method for its SHARPEXT extension.
Based on reports, the Kimsuky threat group replaced the Preferences and Secure Preferences files for the targeted Chromium-based browser, which is commonly challenging to perform for many threat actors.
Subsequently, the malicious threat group gathers the browser’s details and develops a new file that operates the browser start-up to replace the Secure Preference file.
The adversaries will then use a second scrip to hide several extensions’ actions and other windows that may show and alert the victims about an unusual or unwanted activity. Therefore, the extension operates a pair of listeners searching for specific types of activity in several browser tabs.
The threatening part of this attack is that every individual victim has a unique installation exceptionally crafted for them.
The primary goal of this extension attack is to steal attachments and emails from a victim’s mailbox. The first identified strain of this malicious extension was on Gmail accounts. However, the latest discovery suggests that the recent version of SHARPEXT also supports AOL.
SHARPEXT causes web requests to download additional emails from the web page. Researchers believe that the extension is in its development stage and will further evolve soon.
North Korean hackers’ usage of malicious browser extensions is somewhat of an old tactic for targeting mailboxes. Unfortunately, such extension is new to researchers since the actors used it for the post-exploitation attack. This detail implies that the group members are attempting to upgrade their tools and TTPs.
