"N Korean APT Uses Browser Extension to Steal Emails From Foreign Policy, Nuclear Targets"
Threat intelligence and incident response company Volexity stated that over the past year, North Korean advanced persistent threat (APT) actor Kimsuky has been observed using a browser extension to steal content from victims' webmail accounts. Kimsuky has been active since at least 2012 and is also tracked as Black Banshee, Thallium, SharpTongue, and Velvet Chollima. Kimsuky is known for targeting entities in South Korea and some in Europe and the United States. For over a year, Volexity has seen the adversary using a malicious browser extension for Google Chrome, Microsoft Edge, and Naver Whale (a Chrome-based browser used in South Korea) to steal data directly from the victims' email account. Dubbed Sharpext, the extension supports the theft of data from both Gmail and AOL webmail, is actively developed, and has been used in targeted attacks on various individuals, including ones in the foreign policy and nuclear sectors, Volexity stated. Volexity noted that the attacker was able to successfully steal thousands of emails from multiple victims through the malware's deployment. The extension is deployed manually on previously compromised systems and requires the attacker to replace the browser's legitimate preferences files with modified ones.