Hackers working together with North Korea are establishing a cunning extension in browsers based on Chromium, with which it is possible to steal email contents from Gmail and AOL. Cybersecurity corporation Volexity connected the malware to an activity cluster called SharpTongue, which allegedly shares overlaps with several known enemies of Kimsuky.

SharpTongue is famous for being able to uncover hackers who collaborate for organizations in the US, Europe, and South Korea that “work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.” reported researchers Paul Rascagneres and Thomas Lancaster.

It is indisputable that Kimsuky’s use of unauthorized browser extensions for attacks is nothing new. In 2018, the use of a Chrome plugin was discovered as part of a campaign called Stolen Pencil to corrupt victims’ files and steal browser cookies and passwords.

However, the attack now is different, as it uses an extension, named Sharpext, to steal email information. “The malware inspects and extracts data directly from the victim’s webmail account as she browses,” comment the researchers.

The tampered sites are Google Chrome, Microsoft Edge, and Naver’s Whale, with mail-stealing malware designed to collect information from Gmail and AOL sessions.

Installation of the add-on is accomplished by replacing the browser’s Preferences and Secure Preferences files with those received from a remote server after a successful breach of a target Windows system.

And the phase succeeds when the DevTools system is released in the active tab. This allows it to steal emails and attachments from a citizen’s mailbox, while performing phases to hide any warning messages about running developer mode extensions.

Volexity described the action as “quite successful”, exposing the hacker’s ability to “steal thousands of emails from various users through malware insertion”.

Researchers reported that “this is the first time that Volexity has observed malicious browser extensions used as part of the post-exploitation phase of a compromise. By stealing email data in the context of a user’s already logged-in session, the attack is hidden from the email provider, making detection very challenging.”

Despite the strategies and methods used in cybercrimes pointing to a group of North Korean hackers named APT37, evidence collected regarding the crime infrastructure insinuates the involvement of the Russia-aligned APT28 (also known as Fancy Bear or Sofacy).

“In the end, what makes this particular case interesting is the use of the Konni malware in conjunction with tradecraft similarities to APT28,” the researchers concluded, adding that it could be a case of one group masquerading as another to confuse attribution and escape detection.

