This is the discovery of Volexity researchers, according to which, in September 2021, the group would have implemented this extension compatible with Chromium-based web browsers, such as Chrome, Edge and Whale, via a custom VBS script. After compromising a target system, the script allows you to replace the preference files (both standard and protected mode) with files downloaded from the 2C server that the malware connects to.
. @Volexity details browser extension malware #SHARPEXT used by #SharpTongue, a North Korean #apt. The mail-theft malware is deployed in targeted attacks on foreign policy, nuclear and other individuals of strategic interest. More here: https://t.co/jTj6RWToIO
#dfir #threatintel
- Volexity (@Volexity) July 28, 2022
Once the compromised preference files are downloaded, the browser automatically loads the SHARPEXT extension, which automatically analyzes and exfilters data from the webmail account as it is accessed by the victim.| ); }
Since the session to which the target user already has access is exploited, the attack remains almost invisible from the e-mail service provider, making practically impossible to detect the threat, in fact, the extension does not trigger any warning of suspicious activity.
Among the activities performed by the malware, we cite the collection of the victim's e-mails, the list of domains with which conversations are entertained, uploading of data and attachments to a remote server, with the ability to create custom lists of attachments to exfiltrate and much more.