North Korean-linked Gmail spyware 'SHARPEXT' harvesting sensitive email content

A digital render of a red envelope hovering above a blocky grey surface

A malicious browser extension linked to North Korea has been operating undetected to steal data from Gmail and AOL sessions.

The extension, dubbed ‘SHARPEXT’ by researchers, monitors webpages to automatically parse any and all emails and attachments from victims' mailboxes.

It poses a particularly serious threat to machines used by organisations for business operations, as all sensitive information sent via email has the potential to be stolen. Targets have so far been identified within the US, EU and South Korea.

Cyber security firm Volexity revealed the spyware's existence in a blog post, and linked it to a threat actor tracked by Volexity operating under the name SharpTongue, but known publicly as Kimsuky. This entity is believed to be North Korean in origin, and the researchers have linked SharpTongue to attacks on targets linked to national security.

ArsTechnica reports Volexity president Steven Adair as stating that SHARPEXT is installed through “spear phishing and social engineering where the victim is fooled into opening a malicious document”. Phishing is a common vector used to deliver malicious programmes, such as LockBit 2.0 which has been distributed by email disguised as PDFs.

To lay the groundwork for the extension, the threat actor manually exfiltrates files such as the user’s preferences and secure preferences. These are changed to include exceptions for the malicious extension and then downloaded back onto the infected machine through the malware’s command and control (C2) infrastructure.

Once the original files have been switched for these copies, SHARPEXT is loaded directly from the victim’s appdata folder. Once active, the extension executes code directly from the C2 server, which has the benefit of preventing antivirus software from discovering malicious code within the extension itself.

Additionally, running code in this way allows the threat actor to regularly update the code without having to reinstall newer versions of the extension onto infected systems. Indeed, the extension is currently in its third iteration, with previous versions more limited in their browser and mail client compatibility.

At present, SHARPEXT supports Google Chrome and Microsoft Edge, as well as a browser called Whale that's reasonably popular in South Korea but not in other countries.

The extension only activates when a Chromium browser is running, and utilises listeners to monitor activity to ensure that only email data is stolen. Global variables track the emails, email addresses and attachments that have already been exfiltrated, so as to prevent unnecessary duplication of data.

In addition to its exfiltration functions, the extension deploys a Powershell script that constantly checks for compatible browser processes, and if found runs a keystroke script that opens the DevTools panel.

Simultaneously, another script works to hide the DevTools window, and anything that could make the victim suspicious, such as Edge’s warning that an extension is running in developer mode.

Volexity has advised security teams within organisations to review extensions regularly, especially those installed on machines connected to highly-sensitive information.

IT Pro has approached Volexity for comment

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.