The emergence of a stealthy browser extension utilized by North Korean hackers to pilfer emails from Chrome users has raised concerns regarding the security of online platforms. This malicious campaign, primarily targeting Gmail and AOL accounts, involves the deployment of a custom VBS script that compromises the victim’s system. By replacing the Preferences and Secure Preferences files with the malevolent extension, the attackers ensure their activities remain undetected by the victim’s email provider. Notably, this campaign has been observed in various regions, including the United States, Europe, and South Korea. The efficacy of the hackers‘ tactics is evident in the fact that suspicious activity alerts are not triggered, and the malicious activity remains invisible on the webmail account status page. The North Korean hackers employ the SHARPEXT tool to gather illicit data, comprising previously collected emails, communication domains, email sender blacklists, and viewed domains. To counteract these attacks, implementing measures such as enabling PowerShell ScriptBlock logging, analyzing the outcomes, reviewing all extensions on high-risk user machines, utilizing YARA rules to detect related activity, and blocking the provided Indicators of Compromise (IOCs) are recommended.
Key Takeaways
- North Korean hackers are using a stealthy campaign involving a malicious browser extension to steal emails from Chrome, with Gmail and AOL accounts being targeted.
- The attack remains undetected if the victim’s email provider is unaware, and suspicious activity alerts are not triggered. The malicious activity is also not visible on the webmail account status page.
- The North Korean hackers gather various information using their tool called SHARPEXT, including emails previously collected from victims, domains with which victims have communicated, a blacklist of email senders, and domains viewed by victims.
- Mitigations against the attack include enabling PowerShell ScriptBlock logging, analyzing the results of PowerShell ScriptBlock logging, reviewing all extensions installed on high-risk user machines, using YARA rules to detect related activity, and blocking Indicators of Compromise (IOCs) provided.
Campaign Tactics
The campaign tactics employed by North Korean hackers involve the use of a stealthy browser extension to steal emails from Chrome, targeting Gmail and AOL accounts and employing a custom VBS script to compromise the target’s system, as well as replacing Preferences and Secure Preferences files with the malicious extension. This sophisticated attack remains undetected if the victim’s email provider is unaware, as it does not trigger suspicious activity alerts or appear on the webmail account status page. The attackers utilize an already-logged-in session to steal emails, making their malicious activity difficult to detect. North Korean threat actors collect various data using SHARPEXT, including previously collected emails, domains with which victims have communicated, a blacklist of email senders, and a list of domains viewed by victims. To mitigate this attack, enabling PowerShell ScriptBlock logging, analyzing the results, reviewing all installed extensions on high-risk user machines, and using YARA rules to detect related activities are recommended.
Data Collected
Data collected by the malicious browser extension includes emails previously obtained from victims, domains that victims have communicated with, a blacklist of email senders, and a list of domains viewed by victims. This data exfiltration and email compromise allow the North Korean hackers to gain valuable information about their targets. By accessing the victims‘ emails, the attackers can gain insight into their communications and potentially gather sensitive information. The list of domains viewed by victims can provide further clues about their interests and activities. Additionally, the blacklist of email senders allows the hackers to control and manipulate the victims‘ email communications. This comprehensive collection of data enables the attackers to further their malicious activities and potentially exploit the compromised individuals or organizations.
Mitigations and Recommendations
Mitigations and recommendations can be implemented to enhance cybersecurity measures against the malicious activities conducted by the threat actors. Protecting against browser extensions is crucial in preventing the theft of Chrome emails. One effective measure is to enable PowerShell ScriptBlock logging, which can help identify any suspicious activity. Analyzing the results of PowerShell ScriptBlock logging can provide valuable insights into potential threats. Additionally, it is important to review all extensions installed on high-risk user machines and ensure that they are legitimate and secure. Using YARA rules can aid in detecting any related malicious activity. Blocking known Indicators of Compromise (IOCs) provided can also help prevent further attacks. By implementing these mitigation techniques, organizations can strengthen their defenses and better protect against the stealthy browser extension used by North Korean hackers. Detecting and investigating any malicious activity is essential to promptly respond and mitigate potential damage.
Frequently Asked Questions
How does the malicious browser extension used by North Korean hackers enable them to steal Chrome emails?
The malicious browser extension utilized by North Korean hackers exploits technical vulnerabilities in Chrome to steal emails. This has significant repercussions for targeted individuals and organizations, including potential compromise of sensitive information and increased vulnerability to future cyberattacks.
Can the stealthy campaign involving the malicious extension be detected by email providers or trigger suspicious activity alerts?
Email providers are unable to detect the stealthy campaign involving the malicious extension used by North Korean hackers to steal Chrome emails. Suspicious activity alerts are not triggered, and the malicious activity remains invisible on the webmail account status page.
What kind of information do North Korean hackers collect using the SHARPEXT tool?
North Korean hackers collect various types of data using the SharpExt tool. This includes emails previously gathered from victims, a list of domains victims have communicated with, a blacklist of email senders, and a list of domains viewed by victims. The impact of North Korean hackers stealing Chrome emails is significant in terms of privacy breaches and potential exploitation of sensitive information.
What are some recommended mitigations against the North Korean hacker attack?
Recommended mitigations against the North Korean hacker attack include enabling PowerShell ScriptBlock logging, analyzing the results, reviewing all high-risk user machine extensions, using YARA rules for detection, and blocking Indicators of Compromise (IOCs).
Besides following on social media channels, are there any other sources for cybersecurity updates and news?
Cybersecurity news sources are crucial for staying updated and informed about the latest threats and vulnerabilities. It is important to regularly access reliable sources such as industry-specific websites, security blogs, research papers, and reputable news outlets to stay abreast of emerging trends, new attack techniques, and effective countermeasures. Staying informed helps organizations and individuals strengthen their security posture and proactively defend against cyber threats.
