north korea hack

Kimusky Virus Steals Email Accounts

Hackers Target Chrome and Edge Browsers

The new Microsoft Edge Internet browser and Google’s Chrome extension are the new targets of Kim Jong-Un’s hacking network. The Kimusky threat actors which are funded by the North Korean regime have been unleashing their maliciously coded browser extension on the two prominent search engines.

Created to steal web users’ emails, the newest hacking campaigns launched on Chrome and Edge users, hackers can now easily read the contents of infiltrated email accounts.

The harmful extension identified by the team of researchers at the Volexity firm dubbed the hacker’s malware as SHARPEXT. And according to the researchers, they discovered the new campaign in September 2021. Their documented analysis; shows that the criminal hackers have targeted mainly the Edge, Chrome, and Whale extensions, which are the main Chromium-based web browsers.

Targeting Chrome, Edge, and the Whale web browsers, allows the hackers to hijack and steal mail from individuals that have AOL and Gmail accounts. The current hack; shows that the hackers replaced the “Preferences” and “Secure Preferences” files. Next, the malware was coded to command-and-control the target’s system through a downloaded compromised VBS script.

According to Volexity, the virus that has recently been upgraded to version 3.0 actively inspects exfiltrated webmail data from victims’ email accounts. Volexity further disclosed that the hackers’ recent efforts employ the SHARPEXT script to carry out hacking attacks on relevant USA, South Korea, and European entities, with strategic relevance to foreign policy, and nuclear power.

SHARPEXT workflow
SHARPEXT workflow (Volexity)

Kimusky Stealth Attacks

To steal emails; its detection proves extremely impossible to track. The victim’s email provider is unable to detect the hack as the Kimusky virus only utilizes the victim’s already logged-in session. Additionally, suspicious activity alerts are blocked on the breached account, thus, ensuring that the victims are unable to monitor alerts sent to their emails.

SHARPEXT commands are updated regularly to supply the North Korean hackers with a host of private data such as prior email addresses to weed out duplicates. In addition to having the capability to compile a new email list and block unwanted email senders.

The Kimusky hackers first surfaced in May through December 2018 and were tracked by the Netscout ASERT Team. In the earlier campaign, the threat actors were seen pushing a malicious Chrome extension campaign that targeted numerous academic institutions, especially US universities.

With the Kimusky threat, CISA has warned against the malicious (TTPs) procedure, which specifically utilizes malicious browser extensions to steal login information from prominent web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox.

Leave a Reply

Your email address will not be published.