Security News > 2022 > July > Cyberspies use Google Chrome extension to steal emails undetected
A North Korean-backed threat group tracked as Kimsuky is stealing emails from Google Chrome or Microsoft Edge users browsing their webmail accounts using a malicious browser extension.
The extension, dubbed SHARPEXT by Volexity researchers who spotted this campaign in September, supports three Chromium-based web browsers and can steal mail from Gmail and AOL accounts.
The attackers install the malicious extension after compromising a target's system using a custom VBS script by replacing the 'Preferences' and 'Secure Preferences' files with ones downloaded from the malware's command-and-control server.
Once the new preferences files are downloaded on the infected device, the web browser automatically loads the SHARPEXT extension.
By taking advantage of the target's already-logged-in session to steal emails, the attack remains undetected by the victim's email provider, thus making detection very challenging if not impossible.
As Netscout's ASERT Team said in December 2018, a spear-phishing campaign orchestrated by Kimsuky pushed a malicious Chrome extension since at least May 2018 in attacks targeting a large number of academic entities across multiple universities.
News URL
Related news
- Google Chrome gets real-time phishing protection later this month (source)
- Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks (source)
- Google Chrome Adds V8 Sandbox - A New Defense Against Browser Attacks (source)
- Google Chrome: Security and UI Tips You Need to Know (source)
- Google Introduces Enhanced Real-Time URL Protection for Chrome Users (source)
- Google fixes Chrome zero-days exploited at Pwn2Own 2024 (source)
- Google now blocks spoofed emails for better phishing protection (source)
- Google agrees to delete Chrome browsing data of 136 million users (source)
- Google fixes one more Chrome zero-day exploited at Pwn2Own (source)
- Google Cloud Next 2024: New Data Center Chip and Chrome Enterprise Premium Join the Ecosystem (source)