Cybersecurity firm Volexity spotted new activity from a threat actor (TA) allegedly associated with North Korea and deploying malicious extensions on Chromium-based web browsers.
The threat has been dubbed SharpTongue by security researchers, despite it being publicly referred to under the name Kimsuky.
The researchers frequently observed the TA targeting individuals working for organisations in the US, Europe and South Korea.
The TA would reportedly victimise individuals and companies who work on topics including weapons systems, North Korea, nuclear issues, and other matters of strategic interest to North Korea.
The new advisory also clarifies that in September 2021 Volexity began observing an undocumented malware family used by SharpTongue dubbed “SHARPEXT”.
The advisory explains that “SHARPEXT differs from previously documented extensions used by the “Kimsuky” actor, in that it does not try to steal usernames and passwords.”
“Rather, the malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it.”
Volexity explains that the extension, since its discovery, has evolved and is currently at version 3.0 based on the internal versioning system.
The first versions of SHARPEXT investigated by Volexity only supported Google Chrome, while the latest version supports Chrome, Whale, Edge.
To deploy the malware attackers first manually exfiltrate files required to install the extension from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.
This is the first time Volexity observed malicious browser extensions as part of the post-exploitation phase of a compromise.
The researchers explained that “by stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging.”
Volexity recommend enabling and analysing the results of PowerShell ScriptBlock logging and often reviewing installed extensions on machines of high-risk users to detect and investigate attacks.