A group of hackers with links to North Korea are using a malicious Chromium-based Microsoft Edge extension to spy on user email accounts.
Named ‘SharpTongue’, the malicious extension is capable of stealing email content from Gmail and AOL, according to cybersecurity firm Volexity.
“This actor is believed to be North Korean in origin and is often publicly referred to under the name Kimsuky. The definition of which threat activity comprises Kimsuky is a matter of debate among threat intelligence analysts,” the cybersecurity researchers Paul Rascagneres and Thomas Lancaster said.
“SharpTongue has a history of singling out individuals working for organizations in the U.S., Europe, and South Korea who work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea," the researchers added.
Kimsuky's use of rogue extensions in attacks is also not new. In 2018, the threat actor was seen utilizing a Chrome plugin as part of a campaign called Stolen Pencil to infect victims and steal browser cookies and passwords.
But the latest espionage effort, the researchers observed, is different in that it employs the extension, named Sharpext, to plunder email data. "The malware directly inspects and exfiltrates data from a victim's webmail account as they browse it," the researchers noted.
Within the last year, Volexity has responded to multiple incidents involving SharpTongue and, in most cases, has discovered a malicious Chrome or Microsoft Edge extension dubbed as ‘SHARPEXT’
As per a recent Check Point report, the second quarter of 2022 saw cyber-attacks hit an all-time high, increasing by 32% when compared to Q2 2021. Ransomware attacks now impact one in 40 organisations every week, found Check Point researchers.
Another Palo Alto Networks report released last month noted that phishing and software vulnerabilities cause nearly 70% of cyber incidents, with incidents rising dramatically since Q2 2021, due to a combination of higher geopolitical tensions, an increase in remote working, as well as a willingness of organisations to pay the cost of the ransom, among others.