Cybersecurity business Volexity spotted new activity from a risk actor (TA) allegedly associated with North Korea and deploying destructive extensions on Chromium-based web browsers.
A new advisory from the security scientists dubbed this new TA SharpTongue, despite it being publicly referred to below the identify Kimsuky.
Volexity mentioned it frequently observed SharpTongue targeting people performing for corporations in the US, Europe and South Korea.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Specifically, the TA would reportedly victimize people today and corporations who operate on matters involving North Korea, nuclear issues, weapons units, and other issues of strategic desire to North Korea.
The new advisory also clarifies that, when SharpTongue’s device-set is well documented in community resources, in September 2021, Volexity began observing an undocumented malware spouse and children made use of by SharpTongue dubbed “SHARPEXT”.
“SHARPEXT differs from earlier documented extensions used by the “Kimsuky” actor, in that it does not try out to steal usernames and passwords,” clarifies the advisory.
“Rather, the malware instantly inspects and exfiltrates info from a victim’s webmail account as they search it.”
Since its discovery, Volexity statements the extension has progressed and is presently at edition 3., based on the inner versioning technique.
In simple fact, the to start with variations of SHARPEXT investigated by Volexity only supported Google Chrome, when the most recent model supports Chrome, Edge, and Whale (a Chromium-based mostly browser nearly solely used in South Korea).
As far as deployment strategies are involved, attackers very first manually exfiltrate files required to put in the extension from the contaminated workstation. SHARPEXT is then manually put in by an attacker-penned VBS script.
And though the use of malicious browser extensions by North Korean risk actors is not new, this is the initial time Volexity observed malicious browser extensions utilized as aspect of the post-exploitation phase of a compromise.
“By stealing email knowledge in the context of a user’s now-logged-in session, the attack is concealed from the email company, building detection very complicated,” the security researchers defined.
To detect and look into attacks, Volexity proposed enabling and examining the benefits of PowerShell ScriptBlock logging and periodically reviewing mounted extensions on devices of high-risk people.
Possible mitigation approaches include the use of precise YARA regulations to detect relevant activity and blocking the Indicators of Compromise (IoC) outlined below.
Some pieces of this article are sourced from:
www.infosecurity-journal.com