Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday August 05, @02:42PM   Printer-friendly

North Korea-backed hackers have a clever way to read your Gmail:

Researchers have unearthed never-before-seen malware that hackers from North Korea have been using to surreptitiously read and download email and attachments from infected users' Gmail and AOL accounts.

The malware, dubbed SHARPEXT by researchers from security firm Volexity, uses clever means to install a browser extension for the Chrome and Edge browsers, Volexity reported in a blog post. The extension can't be detected by the email services, and since the browser has already been authenticated using any multifactor authentication protections in place, this increasingly popular security measure plays no role in reining in the account compromise.

The malware has been in use for "well over a year," Volexity said, and is the work of a hacking group the company tracks as SharpTongue. The group is sponsored by North Korea's government and overlaps with a group tracked as Kimsuky by other researchers. SHARPEXT is targeting organizations in the US, Europe, and South Korea that work on nuclear weapons and other issues North Korea deems important to its national security.

Volexity President Steven Adair said in an email that the extension gets installed "by way of spear phishing and social engineering where the victim is fooled into opening a malicious document. Previously we have seen DPRK threat actors launch spear phishing attacks where the entire objective was to get the victim to install a browser extension vs it being a post exploitation mechanism for persistence and data theft." In its current incarnation, the malware works only on Windows, but Adair said there's no reason it couldn't be broadened to infect browsers running on macOS or Linux, too.

The blog post added: "Volexity's own visibility shows the extension has been quite successful, as logs obtained by Volexity show the attacker was able to successfully steal thousands of emails from multiple victims through the malware's deployment."

Installing a browser extension during a phishing operation without the end-user noticing isn't easy. SHARPEXT developers have clearly paid attention to research like what's published here, here, and here, which shows how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Each time a legitimate change is made, the browser takes a cryptographic hash of some of the code. At startup, the browser verifies the hashes, and if any of them don't match, the browser requests the old settings be restored.

[...] "When Volexity first encountered SHARPEXT, it seemed to be a tool in early development containing numerous bugs, an indication the tool was immature," the company said. "The latest updates and ongoing maintenance demonstrate the attacker is achieving its goals, finding value in continuing to refine it."


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by Thexalon on Friday August 05, @04:28PM

    by Thexalon (636) on Friday August 05, @04:28PM (#1265129)

    Everyone knows that Dear Leader is always completely right, the science and technology of the glorious people's republic is far better than that of the imperialist threat, and one day Juche will be victorious over the rebellious southerners so long as all citizens maintain their complete loyalty to Dear Leader and the cause. *

    * unless, of course, the North Korean government doesn't make the amateur mistake of believing their own BS.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 2) by Snotnose on Friday August 05, @08:08PM (1 child)

    by Snotnose (1623) on Friday August 05, @08:08PM (#1265172)

    Or somesuch, it's been years since I set it up.

    I don't use the gmail web interface. Instead Thunderbird downloads my email to my PC and does it's thing. Started with POP3 many many years ago, with this last laptop went for IMAP. Don't really remember why but I think if I delete something via IMAP it also gets deleted on the google server. I delete probably 90% of incoming email, mostly via filters but some manual "dafuq is this shit?".

    Don't quote me on that, but it's close. Dafuq, quote me. 90% of my email gets deleted via filters, 90% of the remaining gets filtered to mailboxes I never look at unless I have a problem.

    While we're on the subject of Thunderbird. Several years back I was rearranging my mailboxes and one, let's call it foo, got itself as a sub-mailbox under inbox. And I can't move it out.

    So please please please Thunderbird folks. Can you quit adding features I don't want, changing the UI in ways I don't want, and make it easier to rearrange the order my mailboxes show up? Especially, when I get confused due to your shitty interface and move something I use more often than most to Inbox, can you let me move it out?

    --
    The dishes in the sink are giving me dirty looks again.
    • (Score: 2) by PiMuNu on Saturday August 06, @06:13AM

      by PiMuNu (3823) Subscriber Badge on Saturday August 06, @06:13AM (#1265234)

      Also get rid of the single key press short cuts. Howl in rage when I go to type having not selected the correct window and do *something* to half of my inbox.

      Besides, real men (TM) use pine.

  • (Score: 2) by legont on Saturday August 06, @03:59AM

    by legont (4179) on Saturday August 06, @03:59AM (#1265220)

    Are we saying that hackers of Kim are smarter than hackers of three letter agencies? That would be a disappointment.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
  • (Score: 2) by kreuzfeld on Saturday August 06, @06:49PM

    by kreuzfeld (8580) on Saturday August 06, @06:49PM (#1265329)

    Sounds like one more reason for me to keep using Firefox & related browsers, rather than switch to ₵hrome or €dge.

(1)