Cybersecurity firm Volexity spotted new activity from a threat actor (TA) allegedly associated with North Korea and deploying malicious extensions on Chromium-based web browsers.
A recent advisory from the security researchers dubbed this new TA SharpTongue, despite it being publicly referred to under the name Kimsuky.
Volexity said it frequently observed SharpTongue targeting individuals working for organizations in the US, Europe and South Korea.
Particularly, the TA would reportedly victimize individuals and companies who work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.
The new advisory also clarifies that, while SharpTongue’s tool-set is well documented in public sources, in September 2021, Volexity began observing an undocumented malware family used by SharpTongue dubbed “SHARPEXT”.
“SHARPEXT differs from previously documented extensions used by the “Kimsuky” actor, in that it does not try to steal usernames and passwords,” explains the advisory.
“Rather, the malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it.”
Since its discovery, Volexity claims the extension has evolved and is currently at version 3.0, based on the internal versioning system.
In fact, the first versions of SHARPEXT investigated by Volexity only supported Google Chrome, while the latest version supports Chrome, Edge, and Whale (a Chromium-based browser almost exclusively used in South Korea).
As far as deployment tactics are concerned, attackers first manually exfiltrate files required to install the extension from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.
And while the use of malicious browser extensions by North Korean threat actors is not new, this is the first time Volexity observed malicious browser extensions used as part of the post-exploitation phase of a compromise.
“By stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging,” the security researchers explained.
To detect and investigate attacks, Volexity recommended enabling and analyzing the results of PowerShell ScriptBlock logging and periodically reviewing installed extensions on machines of high-risk users.