It was reported by a cybersecurity firm called Volexity that the malware was attributed to SharpTongue, an activity cluster. This cluster is said to overlap with an adversarial collective that the public refers to as Kimusky.
SharpTongue is notorious for singling out individuals in organizations in the US, Europe, and South Korea that work on matters relating to North Korea, weapons systems, and nuclear issues. In short, these are matters of strategic interest to North Korea, according to researchers Paul Rascagneres and Thomas Lancaster.
Furthermore, Kimsuky using rogue extensions in attacks is not a new tactic. In 2018, the actor was seen using a Chrome plugin as a part of Stolen Pencil, and this campaign aimed to infect victims and steal their browser cookies and passwords.
However, their later espionage effort is different as it uses Sharpect, a different extension, to plunder email data. The researchers have noted that this malware inspects and exfilters data directly from a victim’s webmail account when they are browsing through it.
The browsers that have been targeted include Microsoft Edge, Naver’s Whale browsers, and Google Chrome. From these browsers, the mail-theft malware harvests information specifically from Gmail and AOL sessions.
These add-ons are added by replacing the browser’s Preferences and Secure Preferences files. In place of those, the files received from remote servers are added. This replacement takes place only after there has been a successful breach of a targeted Windows system.
After the replacement has been completed, the DevTools panel is enabled within the active tabs. This tool steals emails and attachments sent to the user’s mailbox. It also takes additional steps to hide any warning messages that may inform the victim about the running developer mode extensions.
- State-Backed Hackers Hiding Behind Ransomware To Conduct Cyber Espionage Attacks
- Facebook Business and Ad Accounts Targeted by New Ducktail Infostealer Malware
- Malicious IIS Extentions’ Persistent Access Popular Among Cyber Criminals
- The Racoon Stealer Malware is Back – Organizations Need Protection Once More
- Candiru Spyware Targeting Journalists by Exploiting Google Chrome Zero-Day