SHARPEXT Browser Extension Description
Cybercriminals are using a corrupted browser extension named SHARPEXT to collect the emails of their victims. The operation is highly targeted against individuals of interest. Unlike other corrupted extensions, SHARPEXT doesn't aim to obtain usernames and passwords. Instead, if fully established on the device, the threat can directly inspect and exfiltrate data from the target's webmail account while it is being used. The extension can extract data from both Gmail and AOL.
The researchers who revealed details about the attack campaign attribute it to a North Korean threat actor they track as SharpTongue. According to their report, certain activities of the group overlap with the publicly known cybercrime group Kimsuky. So far, it was confirmed that SharpTongue is commonly targeting organizations and individuals from the U.S., EU and South Korea. The chosen victims are typically involved with matters of strategic interest to North Korea, such as nuclear activities, weapon systems and more.
Analysis of SHARPEXT
The SHARPEXT malware is believed to have been added to the group's threatening arsenal as early as September 2021. The initial versions of the threat were capable of infecting only Google Chrome browsers, but the latest SHARPEXT 3.0 samples can burrow themselves into Edge and Whale browsers as well. Whale is a Chromium-based browser developed by the South Korean company Naver and mostly used within South Korea.
The SHARPEXT threat is deployed on already breached devices. Before it can be activated, the threat actors must manually exfiltrate certain required files from the infected system. Afterward, SHARPEXT is manually installed via a custom-made VBS script. The malware needs for the browser's 'Preferences' and 'Secure Preferences' files to be replaced with ones retrieved from the attack's Command-and-Control (C2, C&C) server. If successful, the browser will then proceed to automatically load the malware from the '%APPDATA%\Roaming\AF' folder.
Evolution of the Threat
Earlier SHARPEXT versions carried their primary functionality internally. However, later iterations of the threat have seen most of the necessary code being stored on the C2 server. This change has provided the threat actors with two main benefits - they can now dynamically update the extension code without having to deliver the new code to the breached device first, while at the same time reducing the compromised code present within the threat itself. As a result, detection of SHARPEXT by anti-malware solutions has become much more difficult. Detection was already challenging thanks to the fact that the threat collects information within a user's logged-in session, hiding the intrusion from the victim's email provider.