Threat Research

SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”

Securonix

SHARPEXT is a clever post-exploitation browser extension used by SharpTongue (often associated with Kimsuky) to inspect and exfiltrate data from a victim’s webmail (Gmail and AOL) as users browse. The attackers deploy SHARPEXT by modifying browser preferences and loading a multi-component extension, enabled via PowerShell scripts and DevTools manipulation, to covertly steal emails while hiding activity from users and security tools. #SHARPEXT #SharpTongue #Kimsuky #NorthKorea #Gmail #AOL

Keypoints

  • SHARPEXT targets Chromium-based browsers (Chrome, Edge, Whale) and is deployed after compromising a target system.
  • SharpTongue (likely North Korean, often referred to as Kimsuky) is the threat actor behind SHARPEXT and targets individuals with North Korea–related topics.
  • Attackers exfiltrate extension components from the victim and install the malicious extension via a VBScript installer; supported browsers are loaded from a single extension folder.
  • PowerShell scripts pow.ps1 and dev.ps1 are used: pow.ps1 replaces browser Preference files to load the extension; dev.ps1 enables DevTools and hides warning messages or DevTools windows.
  • DevTools module (dev.html/dev.js) communicates with a C2-delivered component to filter and exfiltrate email data (Gmail and AOL) in real time.
  • The extension uses HTTP POST requests (mode=list, mode=domain, mode=attach, mode=newD, mode=new, mode=mid, mode=attlist, mode=new_aol) to exfiltrate email data and attachments; thousands of emails have been stolen in observed campaigns.
  • Defensive recommendations include PowerShell ScriptBlock logging, periodic review of installed extensions on high-risk machines, YARA rules, and blocking identified IOCs.

MITRE Techniques

  • [T1059.001] PowerShell – The attacker uses PowerShell scripts (pow.ps1 and dev.ps1) to install and configure the malicious extension. Quote: “The first executed script (pow.ps1) kills the current browser process and replaces the “Preferences” and “Secure Preferences” files with those retrieved from the command-and-control (C2) server.”
  • [T1056.001] Keylogging / Keyboard Input Capture – The attacker uses a PowerShell script to simulate keystrokes (Ctrl+Shift+J) to enable DevTools; the script sends keystrokes to the browser and then hides the DevTools window. Quote: “the keystrokes sent are equivalent to Control+Shift+J, the shortcut to enable the DevTools panel.”
  • [T1564.001] Hide Artifacts – The PowerShell script hides the DevTools window using ShowWindow() with SW_HIDE, and also hides warning messages in Edge. Quote: “The PowerShell script hides the newly opened DevTools window by using the ShowWindow() API and the SW_HIDE flag.”
  • [T1055.005] Process Injection / Termination (browser process kill) – pow.ps1 kills the current browser process as part of extension deployment. Quote: “kills the current browser process…”
  • [T1041] Exfiltration – Data exfiltration of email content and attachments to remote servers via HTTP POST (mode=list, mode=domain, mode=attach, mode=newD&d=[data], mode=new&mid=[data], mode=attlist, mode=new_aol&mid=[data]&mbody=[data]). Quote: “Upload Gmail data to the remote server.”
  • [T1105] Ingress Tool Transfer – The attacker downloads the necessary malicious extension files, browser configuration files, and additional scripts from the C2 server prior to deployment. Quote: “Download supporting files: The malicious browser extension files… Additional scripts … to ensure the extension is loaded.”
  • [T1059.001] PowerShell (runtime loading) / Dynamic code loading – The extension’s main logic is loaded from the C2 server at runtime and executed via eval, enabling updates without resending new code. Quote: “most of the code is stored on the C2 server; it is downloaded and passed to an eval() statement at the point of execution.”

Indicators of Compromise

  • [File] pow.ps1 – PowerShell script used to install and configure SHARPEXT by modifying browser preferences. – pow.ps1
  • [File] dev.ps1 – PowerShell script to enable DevTools and control window behavior. – dev.ps1
  • [File] dev.html / [File] dev.js – DevTools module, two files that communicate with the core extension for data collection and exfiltration. – dev.html, dev.js
  • [File] bg.js – Main extension logic stored in the Chromium listeners. – bg.js
  • [File] Preferences / Secure Preferences – Modified browser profile files to load the malicious extension. – Preferences, Secure Preferences
  • [Folder] %APPDATA%RoamingAF – Location where the malicious extension is loaded. – %APPDATA%RoamingAF
  • [Other] Gmail / AOL – Targeted webmail services from which data is stolen. – Gmail, AOL

Read more: https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/?s=09