North Korea-backed hackers have a clever way of reading your Gmail

North Korea-backed hackers have a clever way of reading your Gmail

Getty Images

Researchers have detected never-before-seen malware that North Korean hackers are using to stealthily read and download emails and attachments from infected users’ Gmail and AOL accounts.

The malware, dubbed SHARPEXT by researchers at security firm Volexity, uses clever means to install browser extensions for the Chrome and Edge browsers, Volexity reported in a report. blog post, Extensions cannot be detected by email services, and since browsers have already been authenticated using any multi-factor authentication protections, this increasingly popular security measure does not play any role in curbing account compromise. doesn’t play.

The malware “has been in use for over a year,” Volexity said, and is the work of a hacking group that the company tracks as Sharptongue. This group is sponsored by the government of North Korea and a . overlaps with Group Kimsuky . tracked as by other researchers. SHARPEXT is targeting organizations in the US, Europe and South Korea that work on nuclear weapons and other issues that North Korea considers important to its national security.

Volexity president Steven Adair said in an email that the extension “gets installed through spear phishing and social engineering, where the victim is fooled into opening a malicious document. Previously we’ve seen DPRK threat actors like spear phishing attacks.” where the whole purpose was to get the victim to install a browser extension versus it is a post exploit mechanism for persistence and data theft.” In its current incarnation, the malware only works on Windows, but Adair said there’s no reason it couldn’t be expanded to infect browsers running macOS or Linux.

The blog post added: “Volexity’s own visibility shows that the extension has been quite successful, as logs obtained by Volexity show that the attacker was able to successfully steal thousands of emails from multiple victims through the deployment of malware. “

It’s not easy to install a browser extension during a phishing operation without the end-user noticing. SHARPEXT developers have clearly paid attention to research such as what is published Here, HereAnd Here, which shows how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Every time a valid change is made, the browser takes a cryptographic hash of some code. At startup, the browser verifies the hashes, and if none of them match, the browser requests to restore the old settings.

For attackers to work around this protection, they must first remove the following from the computer they are compromising:

  • A copy of the Resources.pak file from the browser (which contains the HMAC seed used by Chrome)
  • user’s s-id value
  • Basic Preferences and Secure Preferences Files from the User’s System

After modifying the preference files, SHARPEXT automatically loads the extension and executes a PowerShell script that enables DevTools, a setting that allows the browser to run customized code and settings.

“The script runs in an infinite loop checking for processes attached to the target browser,” explained Volexity. “If a target browser is running, the script checks the title of the tab for a specific keyword (e.g. ‘05101190,’ or ‘Tab+’ depending on the sharpext version). Specific keywords inserted in the title by malicious The extension is invoked when the active tab changes or when a page is loaded.”


Post continued:

The keystrokes sent are equal to Control+Shift+J, the shortcut to enable the DevTools panel. Finally, PowerShell script hides the newly opened DevTools window using ShowWindow() API And this SW_HIDE flag. At the end of this process, DevTools is enabled on the active tab, but the window is hidden.

In addition, this script is used to hide any windows that may alert the victim. For example, Microsoft Edge periodically displays a warning message to the user (Figure 5) if extensions are running in developer mode. The script continuously checks if this window appears and hides it using ShowWindow() And this SW_HIDE flag.


Once installed, the extension may request the following:

HTTP POST data description
mode = list List the emails collected from the victim in the past to ensure that duplicates are not uploaded. This list is continuously updated while SHARPEXT is executed.
mode = domain List the email domains the victim has previously communicated with. This list is continuously updated while SHARPEXT is executed.
mode = black Collect a blacklist of email senders that should be ignored when collecting emails from the victim.
Mode=NewD&D=[data] Add a domain to the list of all domains the victim has visited.
mode=append&name=[data]&idx=[data]and body =[data] Upload a new attachment to the remote server.
mode = new and middle =[data]&mbody=[data] Upload Gmail data to a remote server.
mode = attlist commented by the attacker; Get attachment list to remove.
mode=new_aol&mid=[data]&mbody=[data] Upload AOL data to the remote server.

SHARPEXT allows hackers to create lists of email addresses so they can ignore and keep track of emails or attachments that have already been stolen.

Volexity produced the following summary of the orchestration of the various SHARPEXT components analyzed:


The blog post provides images, file names and other indicators that trained people can use to determine if they have been targeted or infected by this malware. The company warned that the threat it poses has grown over time and is not likely to go away anytime soon.

“When Volexity first encountered SHARPEXT, it seemed to be a tool in early development that had many bugs, a sign that the tool was immature,” the company said. “The latest updates and ongoing maintenance show that the attacker is achieving his goals, finding value in refining it.”

Be the first to comment

Leave a Reply

Your email address will not be published.