Web accounts

North Korean hackers use malicious extensions on Chromium-based web browsers to spy on user accounts

Cybersecurity firm Volexity has spotted new threat actor (TA) activity allegedly associated with North Korea and deploying malicious extensions to Chromium-based web browsers.

The threat has been dubbed SharpTongue by security researchers, although it is publicly referred to as Kimsuky.

Researchers frequently observed that tech support targeted people working for organizations in the United States, Europe, and South Korea.

The TA would be victimized by individuals and companies working on topics such as weapons systems, North Korea, nuclear issues, and other issues of strategic interest to North Korea.

The new advisory also states that in September 2021, Volexity began observing an undocumented malware family used by SharpTongue dubbed “SHARPEXT”.

The review explains that “SHARPEXT differs from previously documented extensions used by the ‘Kimsuky’ actor, in that it does not attempt to steal usernames and passwords”.

“Instead, the malware directly inspects and exfiltrates data from a victim’s webmail account when browsing it.”

Volexity explains that the extension, since its discovery, has evolved and is currently at version 3.0 based on the internal versioning system.