A group of researchers has discovered new malware that North Korean hackers use to read and download emails and attachments of Gmail users.
Hackers do not lack imagination to gain access to our personal data. Today, it is Korean hackers who have distinguished themselves by the ingenuity they have shown in bypassing Google’s security methods and thus reading their victims’ Gmail emails.
How do hackers bypass Gmail security?
It was security researchers from Volexity who found this malware nicknamed SHARPEXT which, unbeknownst to internet users, installs an extension on Chrome and Edge browsers. You can imagine that this extension is not on the Chrome Web Store or the official Microsoft download platform. It is even more deceptive as it allows you to bypass the most common security means like a good password and enable two-factor authentication to access your online accounts.
According to the researchers, the malware has been circulating for more than a year. It is said to be the work of a group of North Korean hackers, sponsored by the government to target US, European and South Korean organizations working on nuclear weapons and other issues that govern the Kim Jong regime – important to the country’s national security. town.
We also learn that the malware in question only targets Windows computers, but hackers will have no problem transferring it to other platforms like macOS or Linux. Volexity stated in their blog post that the records they obtained It showed that the attacker was able to steal thousands of emails from multiple victims by spreading malware..
well established process
To achieve their goals, hackers often use the phishing method. The victim is tricked into opening a malicious document he has received. The program then installs the extension in the user’s browser without the user noticing. The process is more complicated than it appears. This is because Chromium web browser security prevents malware from changing sensitive user settings.
So the hackers had to use another process that involved first modifying the system preference files, then installing the browser extension and running a script Powershell Which activates the developer tools DevTools Allows malware to execute custom code and settings directly in web browsers. Volexity researchers define:
“ The script runs in an infinite loop that checks the processes associated with the target browsers. If the target browsers are running, the script checks the tab address for a specific keyword like 05101190 or Tab +. The specified keyword is inserted into the title by the malicious extension when an active tab is changed or the page is loaded. »
From there, the script that runs can suck all the data from the page, like emails from your Gmail account for example. The SHARPNEXT malware is also capable of creating email ignore lists and tracking already stolen files or even attachments.
Since this malware is still in circulation, extra caution is advised, especially when clicking on attachments from questionable senders. Also, be sure to update your browser or use more secure operating systems such as ChromeOS.