Security researchers revealed never-seen-before malware that competent North Korean hackers use to sneak, read, and access the attachments and emails from AOL and Gmail users’ accounts.

A malware, dubbed SHARPEXT by security researchers from security firm Volexity, uses smart methods to download a malicious browser extension for Chrome and Edge. The browser extension has been validated through multifactor authentication procedures. As a result, this extension cannot be detected by standard email services

The hackers have been using this malware for more than a year, according to Volexity. It is the operation of a hacking team that runs by the name of SharpTongue. North Korea’s government sponsors the unit, which collaborates with Kimsuky, another group. SHARPEXT targets security firms all over South Korea, the US, and Europe working on nuclear weapons and other prominent issues.

“By way of spear phishing and social engineering where the victim is fooled into opening a malicious document”, said Volexity president Steven Adair. “Previously we have seen DPRK threat actors launch spear phishing attacks where the entire objective was to get the victim to install a browser extension vs it being a post exploitation mechanism for persistence and data theft.”

How hackers use the malware

The current version of the malware is only accessible on Windows. However, Adair has said there is no prominent reason why it could not be expanded to hack browsers that run on Linux and macOS.

For hackers to get past browser protections, they must extract the following information from the device they’re using:

  • The user’s S-ID value
  • A duplicate of the resource.pak file by the browser
  • The original and security preference files from each user’s system

After they change the preference files, SHARPEXT will load the browser extension automatically and operate a PowerShell script, allowing them to personalize settings and code.

“The script runs in an infinite loop checking for processes associated with the targeted browsers”, Volexity described. “If any targeted browsers are found running, the script checks the title of the tab for a specific keyword. For example, ‘05101190’ or ‘Tab+’, depending on the SHARPEXT version. The specific keyword is inserted into the title by the malicious extension when an active tab changes or when a page is loaded.”