The virus steals emails from Google Chrome, Microsoft Edge and Whale browsers. The attack starts from the moment the operating system is compromised through a special VBS script. The virus script replaces the “Preferences” and “Safe Preferences” system files with those downloaded from the operator’s command and control server and downloaded to the computer before the extension itself is launched.
Cyber group Kimsuky from North Korea is believed to be behind these attacks. The attacks target public figures and politicians from South Korea, Europe and the United States. Experts explain the effectiveness of the attacks by the inability of the email services Gmail and AOL to detect malicious activity – the virus uses an active legitimate user session. The situation is the same on the side of the victim’s account – there will be no reports of suspicious activity.
“The malicious plugin directly monitors and retrieves data from the victim’s email account as soon as it checks incoming emails. By the way, attackers do not forget to develop and upgrade the extension, currently its version is 3.0, ”say Volexity experts.
Source: Ferra
