North Korean state-sponsored threat operation Kimsuky
has been stealing emails from Google Chrome and Microsoft Edge users' Gmail and AOL accounts through the malicious SHARPEXT browser extension, BleepingComputer
The email theft campaign, first identified by Volexity researchers last September, involves attackers leveraging a custom VBS script to compromise their target's system with new preference files that would prompt the download of the SHARPEXT extension.
"The malware directly inspects and exfiltrates data from a victim's webmail account as they browse it. Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system," said Volexity.
The report also detailed the breadth of SHARPEXT's capabilities, which include the listing of prior emails and email domains from victims to prevent duplicates; the gathering of email sender blacklists; and new attachment, Gmail, and AOL data uploading to a remote server. U.S.-, South Korea-, and Europe-based individuals involved in foreign policy and nuclear issues have been targets in previous Kimsuky campaigns.