North Korean-backed hackers have a intelligent solution to learn Gmail

Getty Images

Researchers have discovered never-before-seen malware being used by North Korean hackers to read and download emails and attachments from infected users’ Gmail and AOL accounts.

The malware, called SHARPEXT by researchers from the security firm Volexity, uses clever methods to install a browser extension for the Chrome and Edge browsers, Volexity reported in a blog post. The email services cannot detect the extension, and since the browser is already authenticated using any multi-factor authentication protections in place, this increasingly popular security measure has no role in restricting to add to the account reconciliation.

The malware has been in use for “well over a year,” Volexity said, and is the work of a hacking group the company tracks as SharpTongue. The group is sponsored by the North Korean government and overlaps with a a tracked group like Kimsuky by other researchers. SHARPEXT is targeting organizations in the US, Europe, and South Korea that work on nuclear weapons and other issues that North Korea considers important to its national security.

Volexity President Steven Adair said in an email that the extension gets installed “through spear phishing and social engineering in which the victim is fooled into opening a malicious document. Previously we saw DPRK threat actors launch spear phishing attacks where the whole objective was to ask victim to install a browser extension rather than a post-exploitation mechanism for persistence and data theft.” In its current incarnation, the malware only works on Windows, but Adair said there’s no reason it couldn’t be expanded to infect browsers running on macOS or Linux as well.

The blog post added: “Volexity’s own visibility indicates that the extension is quite successful, as logs obtained by Volexity show that the attacker was able to steal thousands of emails from multiple victims by deploying malware.”

It is not easy to install a browser extension during a phishing operation without the end user noticing. It is clear that the developers of SHARPEXT have paid attention to research similar to what has been published here, hereand here, which shows how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Every time a legitimate change is made, the browser captures a cryptographic hash of part of the code. At startup, the browser verifies the hashes, and if none of them match, the browser asks to restore the old settings.

In order for attackers to work around this defense, they must first remove the following from the compromised computer:

  • A copy of the resources.pak file from the browser (which contains the HMAC seed used by Chrome)
  • The user S-ID value
  • The original Preferences and Secure Preferences files from the user’s system

After modifying the preference files, SHARPEXT automatically loads the extension and runs a PowerShell script that enables DevTools, a setting that allows the browser to run custom code and settings.

“The script runs in an infinite loop checking for processes related to the targeted browsers,” explained Volexity. msgstr “If any targeted browsers are found running, the script checks the tab title for a specific keyword (for example ‘05101190,’ or ‘Tab+’ depending on the SHARPEXT version). The specific keyword is inserted into the title at the malicious extension when active tab changes or page loads.”


The post continued:

The keystrokes sent are the same as Control+Shift+J, the shortcut to enable the DevTools panel. Finally, the PowerShell script hides the newly opened DevTools window using the ShowWindow() API and the SW_HIDE flag. At the end of this process, DevTools is enabled on the active tab, but the window is hidden.

Additionally, this script is used to hide any windows that might alert the victim. Microsoft Edge, for example, periodically displays a warning message to the user (Figure 5) if extensions are running in developer mode. The script always checks if this window is visible and hides it using the ShowWindow() and the SW_HIDE flag.


Once installed, the extension can perform the following requests:

HTTP POST details Put down
method = list List previously collected emails from the victim to ensure duplicates are not uploaded. This list is continuously updated as SHARPEXT executes.
mode = domain List email domains the victim has communicated with in the past. This list is continuously updated as SHARPEXT executes.
mode = black Compile a blacklist of email senders that should be ignored when collecting email from the victim.
mode=newD&d=[data] Add a domain to the list of all domains visible to the victim.
mode= connect&name=[data]&idx=[data]&body=[data] Upload a new attachment to the remote server.
mode=new&center=[data]&mbody=[data] Upload Gmail data to the remote server.
mode=list The attacker said; get a list of attachments to be refiltered.
mode=new_lime&center=[data]&mbody=[data] Upload AOL data to the remote server.

SHARPEXT allows the hackers to create lists of email addresses to ignore and track already stolen email or attachments.

Volexity created the following summary of the orchestration of the various SHARPEXT components it analyzed:


The blog post provides images, file names, and other indicators that trained people can use to determine if they are targeted or infected by this malware. The company warned that the threat has grown over time and is unlikely to go away anytime soon.

“When SHARPEXT was first introduced by Volexity, it appeared to be an early development tool with many bugs, a sign that the tool was immature,” the company said. “The latest updates and ongoing maintenance show that the attacker is achieving its goals, finding value in continuing to improve it.”

Leave a Comment