Aug 1 — A nation-state backed threat group known as Kimsuky is deploying a malicious browser extension for the purpose of pinching emails. With the extension, hackers can steal emails while users are reading through them.

How it works

The extension itself has been dubbed SHARPEXT by researchers. The campaign was identified in September, and it supports three Chromium-based web browsers (Chrome, Edge and Whale) and it can steal emails from Gmail and AoL accounts alike.

Attackers install the malicious extension after compromising a target’s system using a custom VBS script by replacing the ‘Preferences’ and ‘Secure Preferences’ files with ones downloaded via the malware’s command-and-control server. After the files are downloaded on the infected device, the browser auto-loads the SHAPEXT extension.

Extension evolution

Since the discovery of this campaign, the extension has evolved. Currently, researchers are tracking the 3.0 version. Will further evolution complicate efforts to prevent and mitigate this malware?

What it collects

This malware (and its owners) collect a wide range of information using commands that:

• List previously obtained emails from specific individuals, thus ensuring that duplicate data is not uploaded.
• Email domains with which the targets have previously communicated.
• Blacklist certain email senders when collecting emails from targeted victims.
• Upload mail data to remote servers, including attachments.

And it’s not the first time that this advanced persistent threat group has leveraged browser extensions to harvest and exfiltrate victim information.

More info

For more on this story, visit Bleeping Computer. For past CyberTalk.org coverage of Google Chrome, click here. To receive more timely cyber security best practices, news, reports and analyses, please sign up for the cybertalk.org newsletter.