Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying malware dubbed SHARPEXT.

Gmail users should watch out for the newly discovered email reading malware named SHARPEXT. It is identified by cybersecurity firm Volexity. This nosey malware spies on AOL and Google account holders and can read/download their private emails and attachments.

Campaign Details

SHARPEXT malware infects devices through browser extensions on Google Chrome and Chromium-based platforms, including Korean browser Naver Whale and Microsoft Edge. Its primary targets are users in the USA, South Korea, and Europe, while its origin has been traced to a North Korean hacker group called Kimsuky or SharpTongue, which is associated with the North Korean intelligence agency Reconnaissance General Bureau.

The typical targets of SHARPEXT malware include those working in nuclear weaponry. It is worth noting that in Jun 2021, Kimsuky APT was found targeting the South Korean atomic agency by exploiting VPN flaws. In March 2015, the same group was blamed for targeting South Korea’s Kori nuclear plant and leaking sensitive data on Twitter.

As for SHARPEXT; the malware can directly inspect and exfiltrate data from Gmail accounts and impact version 3.0. This campaign has been active for more than a year, and during this time, it has stolen thousands of files and messages from Gmail and AOL email accounts.

The malware is currently targeting Windows devices, but Volexity claims it may work on Linux and macOS devices too.

How the Attack Occurs?

The victims are lured into opening a document that contains the malware. The malware is distributed through social engineering and spear phishing scams.

“Prior to deploying SHARPEXT, the attacker manually exfiltrates files required to install the extension (explained below) from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.”

Paul Rascagneres, Thomas Lancaster – Volexity Threat Research

According to Volexity’s blog post, once installed on the device, SHARPEXT malware inserts itself within the browser via the Preferences and Secure Preferences files. It then enables its email read/download capabilities. Moreover, it also hides warning alerts that may be displayed to notify the user about the presence of an unverified extension on the device.

For your information, SHARPEXT malware-laced extensions are hard to spot since there’s no such thing in it that could trigger an antivirus scanner response, and the actual threat runs from another server.

N. Korean Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users
Process workflow of SHARPEXT malware (Image: Volexity)
  1. Gmail wittingly storing your online purchase data for years
  2. Google vulnerability allowed sending spoofed emails with Gmail ID
  3. Hackers using malicious Firefox extension to phish Gmail credentials
  4. Popular Android Zombie game phishing users to steal Gmail credentials
  5. Microsoft MSHTML flaw exploited in Gmail and Instagram phishing scam

How to Stay Protected?

Volexity has published a list of IoCs (indicators of compromise) on Github to help you identify if the device has been infected already. You may also inspect all the browser extensions installed and check if all of them can be found on Chrome Web Store.

Furthermore, Remove any extensions that look suspicious, or you downloaded from an unreliable source. Always use the best antivirus solutions to keep your device protected.

Related Posts