We tell you all this because right now a group of attackers called Kimsuky is using this method that we are telling you about. To reach our computers, they use a malicious browser extension that is responsible for steal emails from Google Chrome or Edge users. Specifically, once installed, it enables these attackers to read our webmail messages.
Once we know what it is, we must keep in mind that the extension is called sharpext and it was detected by Volexity researchers. To say that it is compatible with three web browsers based on the Chromium engine: Chrome, Edge and Whale. In turn, it is able to steal our mail from Gmail and AOL accounts. Once the malicious extension is installed, it compromises the system using a custom VBS script. Here the Preferences and Secure Preferences files are replaced with ones downloaded from the malware control server.
Once the new files that we mentioned have been downloaded to the infected computer, the Web navigator automatically loads the Sharpext extension. The malware then directly analyzes and filters data from the victim’s webmail account as we navigate through it. In fact, we can say that the extension has evolved over time and is currently at version 3.0.
Sharpext, the Chrome extension that steals mail
To all that has been said we can add that due here the extension seize session already started to steal emails, the attack goes unnoticed. All of this is something that is extended both to the email provider itself and to the victim. In short, its mode of operation makes its detection very difficult, almost impossible. At the same time it is important to know that the extension’s workflow will not trigger any suspicious activity alerts on email accounts.
This ensures that malicious activity will not be revealed when checking the account status page for potential alerts. As you can imagine, this behavior makes the attack even more dangerous and effective for those interested in getting hold of our messages. In addition, the same Chrome extension is responsible for listing the emails collected from the victim so that duplicates are not loaded.
Likewise, it scans the domains with which we have previously communicated and creates a blacklist of senders that must be ignored when collecting these emails. On the other hand, the attack adds a new domain to the list of previously seen emails and uploads a new attachment to the remote server. It should be noted that this is not the first time that this North Korean group has used browser extensions to collect and extract sensitive data from compromised systems, so you already have experience.