Browser Extensions Used to Spy on Emails
Table of Contents
- By Patrick Ryan
- Aug 02, 2022
By snooping on their email messages, hackers from North Korea are using harmful browser extensions to uncover information about targeted individuals. The hackers use a nasty Chromium extension on internet browsers to steal data in emails within email services, including Gmail and even the rarely-used America Online or AOL for short.
Who Identified the Threat?
Volexity, a digital security specialist, identified the malware. Volexity's team insists the malware is the result of SharpTongue, an activity cluster that is similar to Kimsuky, a collective of feared adversaries.
What is SharpTongue all About?
SharpTongue has zeroed in on people working for businesses and other entities in the west, South Korea, Europe, and elsewhere. The organization has a history of identifying people with other agencies and entities working on matters about North Korea or anything related to the country's interests. Any business that makes money from defense-related issues, weapons systems, nuclear issues, or anything else of interest to the country's hackers has the potential to be targeted.
Is the use of Rogue Extensions a new Strategy?
No. Kimsuky's reliance on rogue extensions dates back years. Rewind to 2018, and Kimsuky used rogue extensions through a plugin within Chrome. The campaign, dubbed Stolen Pencil, was designed to infect targets and pluck login information such as passwords and other potentially valuable information, including user cookies.
How is the new Attack Unique?
The latest version of the malicious browser attack uses an extension known as Sharpext to steal information from email messages. The malware analyzes information in emails, steals the data while the target is browsing, and sells it on the black market.
Which Browsers are Targeted?
The browsers targeted as of this publication include Microsoft Edge, Google Chrome, and the Naver Whale browsers.
How is the Add-on Installed?
The add-on is installed by replacing the Preferences and Secure Preferences files in the browser with files received via a remote server after the Windows system is breached. The next step centers on enabling the DevTools panel in the active tab to steal emails and attachments from the target's mailbox. The hackers are advanced to the point that they have gone to great lengths to stifle warning messages about extensions used in developer mode, ultimately preventing targets from knowing they are being spied on.
What can be Done to Prevent the Attack?
As noted above, the malicious browser strategy used for spying on email messages comes on the heels of Kimsuky's alleged ties to an especially vicious digital attack against political groups in South Korea and Russia. However, even if your business does not engage in activity related to North Korea, there is a chance other hackers will replicate the strategy noted above in an attack on your business or even your personal computer. Update your digital security protections today, and you'll have the protection you need against the onslaught of digital threats.