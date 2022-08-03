Cybersecurity firm Volexity has uncovered malware capable of inspecting and stealing data from a Gmail account as users browse through it.

Dubbed “SHARPEXT”, the malware is believed to originate from North Korean threat actor Sharptongue, also known as Kimsuky, and has targeted victims in the US, Europe, and South Korea.

Kimsuky’s previously documented exploits attempted to steal usernames and passwords to compromise email accounts, but the latest malware works around this.

It comes in the form of a malicious browser extension that can be deployed to a target device through various means — including a malicious link in phishing emails.

The complete workflow is complex and requires the attacker to first extract several pieces of data from a target device — the resources.pak file from the browser, the user’s S-ID value, and the original Preferences and Secure Preferences files for the browser.

Once acquired, the attacker can modify the user’s Secure Preferences and Preferences files while simultaneously keeping the user’s existing settings in place, hiding the presence of the malware.

Because there are no unexpected logins to the Google account used for Gmail, the user has no idea they have been compromised.

The extension is currently capable of stealing data from Gmail and AOL webmail on the Chrome, Edge, and Whale browsers. The latter is a popular option in South Korea.

Google has confirmed to Forbes the extension code used by the malware is not in the Chrome Web Store, so the malware must be deployed from elsewhere.

Unless users click on malicious links or attackers exploit some unknown remote execution vulnerability, the malware should not be able to get on your system.

