Mumbai: Indian cyber law enforcement agencies are currently tracking a data-stealing malware – created by a group of North Korean hackers – which is so potent that it is able to identify the exact data that it has to steal from the target’s email account even as the target is browsing through.
The Indian authorities’ concerns stem from the fact that after three rounds of development, the malware might be ready to be leased out to other hacker groups, which is a routine practice among hackers. Known as ‘Malware as a Service’ (MaaS), this practice involves hackers leasing out malware of their creation, with modifications as per the customers’ needs, to the highest bidder.
The hacker group is known as SharpTongue or Kimusky and has been the subject of research by several independent cybersecurity firms over the years. The most recent research report was published earlier this month by Volexity – a cybersecurity solution and research firm that has personally investigated systems compromised by the malware.
According to research, the malware infiltrates target computers and mobile phones through commonly used phishing techniques, like sending malicious attachments through seemingly legitimate emails. Volexity’s report states that inside the target system, the malware installs itself in the target’s browser in the form of an extension, named SharpExt.
“SHARPEXT differs from previously documented extensions used by the ‘Kimsuky’ actor, in that it does not try to steal usernames and passwords. Rather, the malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it. Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system,” Volexity’s report states.
SharpExt is currently compatible with Google Chrome, Microsoft Edge and Whale, of which the first two are widely used around the world. Once installed as a browser extension, SharpExt changes the browser’s security preferences, so that its exfiltration of data might go unnoticed. Additionally, this enables SharpExt to suppress any pop-up windows that the browser might want to throw up to alert the user about unauthorised activity.
As the malware is compatible with browsers and most users save their email account passwords in their browsers, this effectively means that the malware does not need to hack the target’s email account. Instead, it can simply read their email as soon as they access their email through their browser.
SharpExt then scans the target’s email in real-time, identifying relevant data and relaying it to the hackers.
“When Volexity first encountered SHARPEXT, it seemed to be a tool in early development containing numerous bugs, an indication the tool was immature. The latest updates and ongoing maintenance demonstrate the attacker is achieving its goals and finding value in continuing to refine it. Volexity’s own visibility shows the extension has been quite successful, as logs obtained by Volexity show the attacker was able to successfully steal thousands of emails from multiple victims through the malware’s deployment,” the report states.
Currently, SharpTongue is focusing on stealing data from South Korea-based nuclear think tanks, as well as those based in other western countries that work conduct research about nuclear power or any other subjects that are of interest to North Korea.
“The concern is that if the malware can infiltrate such sensitive think tanks, it can easily be modified to target less secure systems and steal data en masse. SharpExt is already the talk of the dark web and MaaS could be a real possibility very soon,” an Indian cyber law enforcement officer said.