Gmail users on Google Chrome or Microsoft Edge should be aware of new email-reading malware recently identified by Volexity (opens in new tab), which it’s named SHARPEXT.
SHARPEXT is thought to come from a hacking group named SharpTongue (or Kimsuky as it’s called by other security firms), which is backed by North Korea. It’s been active for over a year and has stolen thousands of messages and files from Gmail and AOL email accounts. Currently, SHARPEXT has only been observed in use on Windows devices, though Volexity says it’s possible the malware could work on macOS and Linux systems too.
How SHARPEXT infects victim’s systems
Victims are convinced to open a document containing the malware through spear phishing and social engineering scams. The malware has been seen operating in browser extensions for Chrome, Edge and the Korean browser Naver Whale, which are all based on Google’s Chromium platform. It also seems to be aimed at U.S., European and South Korean users, specifically those who work in areas deemed a threat to North Korea, such as nuclear weaponry.
Once installed, the malware then inserts itself through the Preferences and Secure Preferences files within the browser, and then enables its email-reading/downloading abilities, while also hiding any warning windows that could pop up and alert the user that an unverified extension is running on their device.
The extensions that carry SHARPEXT are hard to spot since there’s nothing in them that would trigger a response from an antivirus scanner, with the dangerous parts running from a separate server. It’s also hard to notice a data theft in progress through SHARPEXT since you’ll have already entered your credentials to access your email, allowing the extension to check and copy data as you view it.
Protecting yourself from this email-reading malware
If you’re worried you or someone you know is at risk from this malware, Volexity has put together a list of indicators of compromise (IOCs) on Github that can be used to identify if a machine’s been infected. Otherwise, you can double-check which browser extensions you’re using, particularly if any can’t be found on the Chrome Web Store or have been installed in unusual ways, and remove any that look suspicious. You should also ensure you’ve got one of the best antivirus software programs installed to add some extra protection to your devices.