Wednesday, October 4, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

North Korean Attackers Use Malicious Browser Extension to Steal Email

Researcher by Researcher
July 31, 2022
in Cybersecurity
0
CISA: North Korea-Backed Actors Using Maui Ransomware
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


A notorious attack group based in North Korea has been deploying a malicious browser extension for Chrome and Edge that is capable of stealing email content from open Gmail sessions and replacing the victim’s browser preference files.

The extension has been in use for nearly a year and the group that is deploying it, known mainly as Kimsuky, is using it as a post-exploitation tool to maintain persistence on the victim’s machine. Researchers at Volexity identified the extension, which they’re calling SHARPEXT, during some incident response engagements. Unlike may other malicious browser extensions, SHARPEXT does not exist to steal credentials, but is designed specifically to steal data from victims’ email inboxes. The attackers manually install the extension with a VBS script after initial compromise of the machine.

In order to install the extension, the attackers go to the trouble of replacing the Preferences and Secure Preferences files for the target Chromium-based browser, which is not an easy process.

“The Secure Preferences file contains a known-good state of the user’s profile information. Upon startup of Chromium-based browsers, if the Preferences files do not match the loaded configuration, the current configuration will be replaced by the contents of the Secure Preferences file. The Chromium engine has a built-in mechanism that requires the Secure Preferences file contains a valid “super_mac” value to prevent manual editing of this file,” Volexity researchers Paul Rascagneres and Thomas Lancaster said in an explanation of the attack.

To accomplish the task of replacing the Secure Preferences file, the attackers collect specific information from the browser and then generate a new file, which then runs on browser start-up. The attackers, who Volexity refers to as SharpTongue, then use a second script to hide some of the extension’s actions and any windows that might appear to warn victims about anomalous activity. The extension then runs a pair of listeners that look for specific types of activity in browser tabs.

“The first versions of the malicious extension encountered by Volexity only supported Gmail accounts. The latest version supports both Gmail and AOL mail accounts The purpose of the response parsing is to steal email and attachments from a user’s mailbox. The extension can generate web requests to download additional email from the web page,” the researchers said.
Kimsuky/SharpTongue is a well-known and highly active threat group aligned with North Korea that is mostly associated with cyberespionage attacks and IP theft operations. The group uses a number of custom tools and malware, including Babyshark. The SHARPEXT extension is under active development and Volexity’s researchers said its installation is customized for each individual victim.

“The use of malicious browser extensions by North Korean threat actors is not new; this tactic has typically been used to infect users as part of the delivery phase of an attack. However, this is the first time Volexity has observed malicious browser extensions used as part of the post-exploitation phase of a compromise,” the researchers said.

“By stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging. Similarly, the way in which the extension works means suspicious activity would not be logged in a user’s email “account activity” status page, were they to review it.”

SHARPEXT has been installed on Chrome, Edge, and the Whale browser, which is a South Korean application.



Source link

Related articles

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
Tags: AttackersbrowserEmailExtensionKoreanMaliciousNorthSteal
Share76Tweet47

Related Posts

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
0

Northern Ireland’s top police officer apologized Thursday for what he described as an “industrial scale” data breach in which the...

Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
0

Enterprise IT teams are struggling to cope with three major forces of change: the evolving regulatory environment, a globally dispersed...

Decipher Podcast: Katelyn Bowden and TC Johnson

Decipher Podcast: Katelyn Bowden and TC Johnson

August 12, 2023
0

Veilid main site: https://veilid.com/ Cult of the Dead Cow site: https://cultdeadcow.com/ Source link

In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack 

In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities

August 12, 2023
0

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under...

Used Correctly, Generative AI is a Boon for Cybersecurity

Used Correctly, Generative AI is a Boon for Cybersecurity

August 12, 2023
0

Adobe stock, by Busra At the Black Hat kickoff keynote on Wednesday, Jeff Moss (AKA Dark Tangent), the founder of...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
Microsoft to Block Macros by Default in Office Apps

Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Browse Safer and Faster Around the World with JellyVPN for just $34.99

Browse Safer and Faster Around the World with JellyVPN for just $34.99

October 3, 2023
Hackers Steal User’s Database From European Institute

Hackers Steal User’s Database From European Institute

October 3, 2023
Hackers Bypass Cloudflare Firewall & DDoS using Cloudflare

Hackers Bypass Cloudflare Firewall & DDoS using Cloudflare

October 2, 2023
AWS Honeypot to Disrupt Threat Actors

AWS Honeypot to Disrupt Threat Actors

October 2, 2023

Recent Posts

Browse Safer and Faster Around the World with JellyVPN for just $34.99

Browse Safer and Faster Around the World with JellyVPN for just $34.99

October 3, 2023
Hackers Steal User’s Database From European Institute

Hackers Steal User’s Database From European Institute

October 3, 2023
Hackers Bypass Cloudflare Firewall & DDoS using Cloudflare

Hackers Bypass Cloudflare Firewall & DDoS using Cloudflare

October 2, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cyber Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches platform Ransomware RoundUp security services Software Stories TFT Threat Top vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved