Mumbai: The Indian cyber law enforcement agencies are currently tracking a data-stealing malware, which is so potent that it is able to identify the exact data it has to steal from the target’s email account even as browsing is underway.
The concerns stem from the fact that after three rounds of development, the malware – created by a group of North Korean hackers – might be ready to be leased out to other hacker groups as part of a routine practice. Known as ‘Malware as a Service’ (MaaS), this practice involves leasing it out to the highest bidder with modifications as per customer needs.
The hacker group is known as SharpTongue or Kimusky and has been the subject of research by several independent cybersecurity firms over the years. The most recent research report was published earlier this month by Volexity – a cybersecurity solution and research firm that has personally investigated systems compromised by the malware.
As per this research, the malware infiltrates target computers and mobile phones through commonly used phishing techniques such as malicious attachments through seemingly legitimate emails. Volexity’s report states that the malware installs itself in the target’s browser in the form of an extension, named SharpExt.
“SharpExt differs from previously documented extensions used by the Kimsuky actor, in that it does not try to steal usernames and passwords. Rather, the malware directly inspects and exfiltrates data from a victim’s webmail account as she/he browses it. Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system,” Volexity’s report states.
SharpExt is currently compatible with Google Chrome, Microsoft Edge and Whale, of which the first two are widely used around the world. Once installed as a browser extension, SharpExt changes the browser’s security preferences, so that its exfiltration of data might go unnoticed. Additionally, this enables SharpExt to suppress any pop-up windows that the browser might want to throw up to alert the user about unauthorised activity.
As the malware is compatible with browsers and most users save their email account passwords in their browsers, this effectively means that the malware does not need to hack the target’s email account. Instead, it can simply read their email as soon as they access their email through their browser in real-time, identifying relevant data and relaying it to the hackers.
“When Volexity first encountered SHARPEXT, it seemed to be a tool in early development containing numerous bugs, an indication the tool was immature. The latest updates and ongoing maintenance demonstrate the attacker is achieving its goals and finding value in continuing to refine it. Volexity’s own visibility shows the extension has been quite successful, as logs obtained by Volexity show the attacker was able to successfully steal thousands of emails from multiple victims through the malware's deployment,” the report states.
Currently, SharpTongue is focusing on stealing data from South Korea-based nuclear think tanks, as well as those based in other western countries that conduct research about nuclear power or any other subjects that are of interest to North Korea.
“The concern is that if the malware can infiltrate such sensitive think tanks, it can easily be modified to target less secure systems and steal data en masse. SharpExt is already the talk of the dark web and MaaS could be a real possibility very soon,” an Indian cyber law enforcement officer said.
