A hacker group acting on behalf of the North Korean government has been observed using malicious Google Chrome or Chromium-based Microsoft Edge browser extensions to spy on user email accounts, cybersecurity firm Volexity reports.

The threat actor, tracked as SharpTongue by Volexity, and also known as Kimsuky, often targets individuals working for organizations in the US, Europe and South Korea who work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.

Over the past year, the group has been using a malicious Google Chrome or Microsoft Edge extension called SHARPEXT.

Unlike previously documented extensions used by Kimsuky in their past campaigns, SHARPEXT doesn’t attempt to steal usernames and passwords, but rather directly inspects and exfiltrates data from a victim's webmail account. The tool, which is currently at version 3.0, supports Google Chrome, Microsoft Edge, and Naver's Whale browsers (the letter used almost exclusively in South Korea) and theft of mail from both Gmail and AOL webmail.

SHARPEXT is deployed after successful compromise of a target system.

“Prior to deploying SHARPEXT, the attacker manually exfiltrates files required to install the extension (explained below) from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script,” Volexity explains.

In order to install the extension, the attackers replace the Preferences and Secure Preferences files for the target Chromium-based browser, which is not an easy task.

“The Secure Preferences file contains a known-good state of the user’s profile information. Upon startup of Chromium-based browsers, if the Preferences files do not match the loaded configuration, the current configuration will be replaced by the contents of the Secure Preferences file. The Chromium engine has a built-in mechanism that requires the Secure Preferences file contains a valid "super_mac" value to prevent manual editing of this file,” the researchers said.

To achieve their goal the threat actor collects information from the browser and the user’s system required to generate new Secure Preferences and Preferences files that will be accepted by Chromium-based browsers.

With the modified preferences files in place, the browser will automatically load the malicious extension located in folder “%APPDATA%\Roaming\AF”.

Once the extension has been deployed, a PowerShell script is used to enable DevTools to inspect the contents of the tab the user is accessing, and to exfiltrate data of interest.

“This is the first time Volexity has observed malicious browser extensions used as part of the post-exploitation phase of a compromise. By stealing email data in the context of a user's already-logged-in session, the attack is hidden from the email provider, making detection very challenging,” the researchers noted.