Gmail users should watch out for the newly discovered email reading malware named SHARPEXT. It is identified by cybersecurity firm Volexity. This nosey malware spies on AOL and Google account holders and can read/download their private emails and attachments.
Campaign Details
SHARPEXT malware infects devices through browser extensions on Google Chrome and Chromium-based platforms, including Korean browser Naver Whale and Microsoft Edge. Its primary targets are users in the USA, South Korea, and Europe, while its origin has been traced to a North Korean hacker group called Kimsuky or SharpTongue, which is associated with the North Korean intelligence agency Reconnaissance General Bureau.
The typical targets of SHARPEXT malware include those working in nuclear weaponry. It is worth noting that in Jun 2021, Kimsuky APT was found targeting the South Korean atomic agency by exploiting VPN flaws. In March 2015, the same group was blamed for targeting South Korea’s Kori nuclear plant and leaking sensitive data on Twitter.
As for SHARPEXT; the malware can directly inspect and exfiltrate data from Gmail accounts and impact version 3.0. This campaign has been active for more than a year, and during this time, it has stolen thousands of files and messages from Gmail and AOL email accounts.
The malware is currently targeting Windows devices, but Volexity claims it may work on Linux and macOS devices too.
How the Attack Occurs?
The victims are lured into opening a document that contains the malware. The malware is distributed through social engineering and spear phishing scams.
According to Volexity’s blog post, once installed on the device, SHARPEXT malware inserts itself within the browser via the Preferences and Secure Preferences files. It then enables its email read/download capabilities. Moreover, it also hides warning alerts that may be displayed to notify the user about the presence of an unverified extension on the device.
For your information, SHARPEXT malware-laced extensions are hard to spot since there’s no such thing in it that could trigger an antivirus scanner response, and the actual threat runs from another server.
No comments:
Post a Comment