A group of North Korean hackers is using a rogue Microsoft Edge or Chrome plugin to track or access user email accounts.
Cybersecurity firm Volexity attributed the malware to an activity cluster it calls SharpTongue, which is said to share overlaps with an adversarial collective publicly referred to under the name Kimsuky.
Malicious Browser Extension
SharpTongue has a heritage of singling out men and women functioning for companies in the U.S., Europe, and South Korea who “work on subjects involving North Korea, nuclear issues, weapons devices, and other issues of strategic curiosity to North Korea,” researchers Paul Rascagneres and Thomas Lancaster stated.
Volexity has responded to numerous SharpTongue events over the past year and, in most cases, has found a malicious “SHARPEXT” Google Chrome or Microsoft Edge extension.
Targeted browsers include Google Chrome, Microsoft Edge, and Naver’s Whale browsers, with the mail-theft malware designed to harvest information from Gmail and AOL sessions.
The attack is hidden from the email provider by stealing email data in the context of a user’s already-logged-in session, making detection difficult.
While the tactics and tools used in the intrusions point to a North Korean hacking group called APT37, evidence gathered pertaining to the attack infrastructure suggests the involvement of the Russia-aligned APT28 (aka Fancy Bear or Sofacy) actor.