SHARPEXT is a North Korean malware that targets highly sensitive Western and South Korean organizations. It supports reading emails from Gmail account in popular browsers like Chrome and Edge.
Cyber security researchers from the specialist company Volexity have discovered malware that is actively used by hackers from North Korea. The malware allows hackers to read and download account emails and attachments Gmail and AOL.
baptized SHARPEXTThis malware infects machines through browser extensions Google Chrome, Microsoft Edge and Whale Browser. This extension is not detected as malware by the target messaging systems and can start its work as soon as it is installed. So far, the malware just works Windowsbut it can be extended to Linux and macOS at any time.
Stealthy malware that targets Gmail and AOL on Windows
According to experts responsible for the identification of SHARPEXT, the malware has been used for more than a year by a group of hackers known as. Sharp Tongue. This would be supported and funded by North Korea and close to another North Korean hacker group: Kimsuky.
SHARPEXT is mainly aimed at organizations in the United States, Europe and South Korea working on projects related to nuclear weapons or other areas of interest to North Korea. Since the deployment of the malware, several thousand emails have been hacked, estimates Volexity.
The extension is installed automatically after opening the infected document, there is no need to download manually by the victim. The user does not even realize that the extension has been installed. Hackers can circumvent the Chromium engine’s security systems by extracting several features from an infected computer:
- A copy of the browser’s resource.pak file, which contains the HMAC code
- The user’s security ID
- Original System Preferences and Security Preferences files
Thanks to this, SHARPEXT will be able to intelligently download the extension, run a PowerShell script to enable DevTools, and execute the code. The script is designed to hide warning windows from browsers when the extension is used in developer mode.