By the use of Browser Extension, N Korean APT steal content from victim’s webmail
On Friday, North Korean advanced persistent threat (APT) actor Kimsuky over the past year, has been observed using the browser extension to steal content from victims’ webmail accounts, threat intelligence, and incident response company Volexity reports.
Active since at least 2012 and also tracked as Black Banshee, Thallium, SharpTongue, and Velvet Chollima, Kimsuky is known for targeting the entities in South Korea, but also some located in Europe and the United States.
Volexity for over a year has been noticing the adversary using a malicious browser extension for Google Chrome, Microsoft Edge, and Naver Whale – a Chrome-based browser used in South Korea, stealing data directly from the victims’ email accounts.
Volexity says that Dubbed Sharptext, the extension supports the theft of data from both Gmail and AOL webmail, is actively developed, and has been used in targeted attacks on various individuals, including ones in the foreign policy and nuclear sectors,
Volexity further states that the attacker was able to successfully steal thousands of emails from multiple victims through the malware’s deployment.
According to Volexity, Deployment of Sharpext is highly customized, as the attacker must first gain access to the victim’s original browser Security Preferences file. This file is then modified and used to deploy the malicious extension. Volexity has observed SharpTongue deploying Sharpext against targets for well over a year; and, in each case, a dedicated folder for the infected user is created containing the required files for the extension.