Dubbed SHARPEX by Volexity researchers, the malware uses smart tools to install an extension on Chrome and Edge browsers. The extension is not detectable by email services, and since the browser is already verified using all available multi-factor authentication tools, this popular security measure plays no role in preventing accounts from being compromised.
Volexity said the malware has been in use for “more than a year” and is the work of a hacker group the company monitors under the name SharpTongue. This group is supported by the North Korean government and overlaps with the Kimsuky group. SHARPEX targets organizations in the United States, Europe and South Korea working on nuclear weapons and other issues that North Korea considers important to its national security.
Volexity CEO Stephen Adair said in an email that the extension was installed “through spear phishing and social engineering, where the victim is tricked into opening a malicious document.”
In its current version, the malware only runs on Windows, but Adair says there’s no reason why it shouldn’t be expanded to infect browsers running on macOS or Linux.
Source: Ferra
