Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SharpTongue. Show all posts

Kimsuky Makes E-Mails Hacking Browser Extensions

A hacking group that is believed to work from North Korea is loading harmful browser extensions for Edge and Chrome. It tries to steal email info from open AOL and Gmail sessions and interchange browser preference files. 

About SHARPEXT

Volexity experts found the malicious extension, known as SHARPEXT, it is active for almost a year by Kimsuky (aka SharpTongue). It uses the extension after the attack has been launched, for keeping its presence. 

"SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset was published by Huntress in 2021. The list of tools and techniques described in that post is consistent with what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue," reports Volexity.

Kimsuky's Attack

Unlike other harmful browser extensions, SHARPEXT isn't made for stealing user credentials. On the contrary, the extension steals information from the e-mail inboxes of the victims.

The hackers deploy the extension manually via a VBS script once the initial breach of the victim system has been done. 

How SHARPEXT is installed

To install SHARPEXT, the hackers replace the Preferences and Secure Preferences files, for the aimed Chromium-based browser, which is generally said to be a difficult task to execute. 

• To interchange the Secure Preferences file, the hackers obtain some details from the browser and make a new file running on browser start-up.

• After that, the attackers use a secondary script to conceal some of the extension's features and any other windows that can surface and alarm the users about suspicious activities. 

• Lastly, the extension uses a pair of listeners for a particular type of activity in the browser tabs. Installation is then modified for different respective targets. 

Volexity says "the purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used by dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title (“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the tab." 












SharpTongue: A Malware from North Korea that Monitors Emails

About SharpTongue

Threat actor SharpTongue, which is linked to North Korea, was found using a malicious extension on Chromium-based browsers to keep surveillance on victims' Gmail and AOL email accounts. Experts from cybersecurity agency Volexity found the hackers as SharpTongue, but its activities coincide with one of the Kimsuky APT groups. 

The SharpTongue's toolset was covered by Huntress in 2021 in a published report, but in September 2021, Volexity started noticing usage of earlier unreported Malware strain, in the past year. Volexity has looked over various cybersecurity cases which involve SharpTongue and in most of the incidents, hackers use a malicious Microsoft Edge or Google Chrome extension known as "SHARPEXT." 

How does SharpTongue operate?

Contrary to other extensions in use by the Kimsuky APT group, SHARPEXT doesn't steal passwords or usernames, however, it accesses the target's webmail account while they're browsing it. The present version of the extension backs three browsers and is capable of stealing the contents of e-mails from AOL webmail and Gmail accounts. 

The report analysis says that SHARPEXT is a malicious browser extension deployed by SharpTongue following the successful compromise of a target system. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google Chrome. 

The current variant 3.0 supports three browsers:

  • Edge
  • Chrome
  • Whale (It is used in South Korea)

The attack process

The attack chain begins with hackers manually extracting files required to install extensions from the malicious workstation. After a breach of the victim's Windows system, the hackers change the web browser's Preferences and Secure Preferences. 

After that, hackers manually deploy SHARPEXT via a VBS script and enable the DevTools panel in the active tab to keep surveillance on the email contents and steal file attachments from the target's mail account. This is done via PowerShell script, hackers also conceal warning messages running developer mode extensions. 

Security Affairs report, "experts pointed out that this is the first time the threat actor used malicious browser extensions as part of the post-exploitation phase. Stealing email data from a user’s already-logged-in session makes this attack stealthy and hard to be detected by the email provider. The researchers shared the YARA rules to detect these attacks and Indicators of Compromise (IOCs) for this threat."