Getty Pictures
Researchers have uncovered never-before-seen malware used by North Korean hackers to surreptitiously read and download emails and attachments from infected users’ Gmail and AOL accounts.
Volexity reports that the malware, dubbed SHARPEX by researchers from security firm Volexity, uses smart tools to install a browser extension for Chrome and Edge browsers. blog post. The extension is not detectable by email services, and this increasingly popular security measure plays no role in breaching account security, as the browser’s identity has already been verified using any multi-factor authentication protection.
Volexity said the malware had been in use for “more than a year” and was the work of a hacking group the company tracks as SharpTongue. The group is supported by the North Korean government and overlaps with a group. group watched as Kimsuky by other researchers. SHARPEX targets organizations in the United States, Europe and South Korea working on nuclear weapons and other issues that North Korea considers important to its national security.
Volexity President Steven Adair said in an email that the extension was “installed through spear phishing and social engineering, where the victim was tricked into opening a malicious document.” Have the victim install a browser extension, despite persistence and a post-exploitation mechanism for data theft.” In its current version, the malware only runs on Windows, but Adair said there’s no reason why it shouldn’t be expanded to infect browsers running on macOS or Linux as well. .
The blog post added: “Volexity’s own visibility indicates that the extension has been quite successful, as logs obtained by Volexity show that the attacker was able to successfully steal thousands of emails from multiple victims through the distribution of the malware.”
It is not easy to install a browser extension during the phishing process without the end user noticing. SHARPEX developers have clearly paid attention to research like those published the game, the gameand the gameDemonstrates how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Every time a legitimate change is made, the browser receives a cryptographic hash of a portion of the code. Initially, the browser validates the hashes, and if any of them do not match, the browser requests that the old settings be restored.
In order for attackers to circumvent this protection, they must first remove the following from the compromised computer:
- A copy of the resource.pak file from the browser (includes the HMAC seed used by Chrome)
- the user S-ID value
- Original Preferences and Safe Preferences files from the user’s system
After modifying the preference files, SHARPEXT automatically installs the extension and executes a PowerShell script that enables DevTools, a setting that allows the browser to run customized code and settings.
“The script runs in an endless loop that checks the processes associated with the targeted browsers,” said Volexity. “If any targeted browser is found to be running, the script will check the tab’s title for a specific keyword (for example, ‘05101190’ or ‘Tab+’ depending on the SHARPEXT version). A specific keyword is appended to the title by malware. extension when tab changes or a page loads.”
Volexites
The article continued:
Sent keystrokes are equivalent
Control+Shift+J, shortcut to enable DevTools panel. Finally, the PowerShell script hides the newly opened DevTools window using: ShowWindow() API andSW_HIDEflag. At the end of this process, DevTools is enabled on the active tab, but the window is hidden.Also this script is used to hide windows that can warn the victim. For example, Microsoft Edge periodically displays a warning message to the user if the extensions are running in developer mode (Figure 5). The script constantly checks if this window is visible and hides it using:
ShowWindow()andSW_HIDEflag.
Volexites
After the extension is installed, it can perform the following requests:
| HTTP POST Data | Definition |
| mode=page | List previously collected emails from the victim to make sure no duplicates are uploaded. This list is constantly updated as SHARPEX is executed. |
| mod=domain | List of email domains the victim has previously contacted. This list is constantly updated as SHARPEX is executed. |
| mode=black | Collect a blacklist of email senders that should be ignored when collecting email from the victim. |
| mod=newD&d=[data] | Add a domain to the list of all domains viewed by the victim. |
| mod=add&name=[data]&idx=[data]&score=[data] | Upload a new attachment to the remote server. |
| mod=new&medium=[data]&mbody=[data] | Upload Gmail data to remote server. |
| mod=attention list | The attacker’s comment; get a list of attachments to leak. |
| mode=new_aol&mid=[data]&mbody=[data] | Upload AOL data to remote server. |
SHARPEX allows hackers to create lists of email addresses to ignore and track emails or attachments that have been stolen.
Volexity created the following summary of the orchestration of the various SHARPEX components it analyzed:
Volexites
The blog post provides images, filenames, and other indicators that educated people can use to determine if they are being targeted or affected by this malware. The company warned that the threat it poses is growing over time and is not going away anytime soon.
“When Volexity first encountered SHARPEXT, it seemed like a tool in early development with a lot of bugs, an indication that the tool was immature,” the company said. “The latest updates and ongoing maintenance show that the attacker has achieved their goals and finds value in continuing to improve it.”
