SHARPEXT Browser Extension is Out for your Inbox

Security researchers have spotted a new malicious browser extension that goes by the name of SHARPEXT. The malware is associated with a North Korean threat actor that employs SHARPEXT to poke through victim emails.

The threat actor operating the SHARPEXT extension goes by the name of SharpTongue and is believed to operate out of North Korea. Unlike previous malware used by SharpTongue, SHARPEXT does not attempt to steal passwords and credentials.

Instead, SHARPEXT directly pokes through the inbox of the victim and can exfiltrate data from it. The extension has received several updates since researchers started tracking it and it can affect three browsers, including Chrome and Edge.

In order to pull off a SHARPEXT installation and infection, the threat actors need several files from the targeted system exfiltrated beforehand. Based on the contents of those files, the hackers produce tailor-made files that the browser will accept back.

The malicious extension also relies on using PowerShell to enable dev tools inside the tab that the user opens their email account in. This, combined with the use of listeners allows SHARPEXT to steal mail data.

August 2, 2022