North Korean Hackers Used A Stealthy Browser Extension To Snoop Emails

It is always a good idea to secure your online accounts with a strong password and two-factor authentication, but even that might not stop a new piece of malware discovered by security firm Volexity. According to the company's threat research group, North Korea has been slurping up sensitive emails using a clever (but very malicious) Chrome browser extension dubbed "SHARPEXT." You probably are not important enough to be targeted by this malware, and that's a good thing—North Korea has been at it for a year before anyone noticed.

Volexity reports that SHARPEXT is targeting organizations in the US, Europe, and South Korea that work on nuclear and conventional weapons, as well as other areas of interest to North Korea's intelligence apparatus. The researchers have attributed the malware to a hacking group it calls SharpTongue, which appears to have significant overlap with a group known publicly as Kimsuky. As with many state-sponsored hacking groups, SharpTongue has developed a bespoke tool for a very specific use. 

Unlike a lot of malware, SHARPEXT doesn't try to steal passwords; it takes advantage of the browser's logged-in status to quietly snoop on emails instead. All browsers in the Chromium lineage have security measures to alert users to changes to settings, as well as extensions running in developer mode. SHARPEXT has workarounds to stay under the radar. After installation, it modifies several files to fool the browser into thinking its settings have remained untouched. The extension needs to operate in developer mode to run custom code and scripts, so SHARPEXT continuously hides the alert window that would otherwise warn users that dev mode is active.


SHARPEXT has been detected in several different Chromium-based browsers including Google Chrome, Microsoft Edge, and Naver Whale (a browser used almost exclusively in South Korea). Once set up in a supported browser, the malware can monitor tabs until it sees either Gmail or AOL email. Since the browser is logged in, the attackers have access to the target's data without worrying about passwords and two-factor codes. With dev tools enabled, the extension is able to copy emails and attachments to a remote location, which has allowed the malware to collect thousands of emails from targets.

Clearly, SHARPEXT is not the kind of malware you're likely to stumble upon while poking around the internet—it is a highly targeted tool for intelligence gathering. Volexity says it has watched as SHARPEXT evolved over the past year, going from immature and buggy to a sophisticated and successful surveillance tool. Volexity suggests anyone who is worried they may be targeted by SharpTongue should take stock of their extensions to ensure they are all unmodified and installed from official sources.