A North Korean threat actor has been deploying a malicious extension on Chromium-based web browsers that is capable of stealing email content from Gmail and AOL. The malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it.
Researchers attributed the malware as SharpTongue, which is said to share overlaps with an adversarial collective publicly referred to under the name Kimsuky. Previosly, Kimsuky was seen utilizing a Chrome plugin as part of a campaign called Stolen Pencil to infect victims and steal browser cookies and passwords.
The latest espionage effort employs the extension, named Sharpext, to steal email data. Targeted browsers include Google Chrome, Microsoft Edge, and Naver’s Whale browsers, with the mail-theft malware designed to harvest information from Gmail and AOL sessions.
While the tactics and tools used in the intrusions point to a North Korean hacking group called APT37, evidence gathered pertaining to the attack infrastructure suggests the involvement of the Russia-aligned APT28 (aka Fancy Bear or Sofacy) actor.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
