SharpTongue Deployed Browser Extension to Steal Emails

It’s believed that North Korean Threat Group is behind all malicious browser extensions for Chrome/ Edge. Their one & only goal is to breach Email Content from Gmail and AOL sessions that are Open. Also, they replace browser preference files.

We believe that only severe attacks done by ransomware are potential threats to the public and organizations. But there are several ways in which the attackers may exploit the systems of public and organizations to breach confidential data that can be used to ask for ransom money.

This news is one of the messes around the world which usually don’t seem to be severe enough but can be extremely severe to challenge technical support and security. Let’s see what this talk about and how it happened to the victims.

CyberAttacks by SharpTongue

SHARPEXT Malicious Extension was first observed by Volexity’s Researchers. It was used by Kimsuky aka SharpTongue for a year alas. For maintaining persistence of the attack, Kimsuky used this extension as a Post-Exploitation Tool.

  • If we talk about the differentiation between other extensions and this one then we’d say that this wasn’t made on purpose to steal credentials. Rather, it steals information from the victims’ email boxes.
  • After compromising the targeted system, the adversary implemented this extension manually utilizing a VBS script.

More Info – SharpTongue

The main motive of the extension was to breach emails and attachments from victim’s Mail.

  • Malicious Extension’s Previous Versions only supported Gmail A/Cs. The latest version supports both GMAIL & AOL.
  • One of the malicious actions of this extension was to create web requests to download more emails from the related web page.
  • Researchers’ belief was that this extension was underdeveloped.

Process of Implementing Complex Browser

To install, a replacement Chromium-based browser was needed in the place of Preferences and Secure Preferences Files. It usually seems to be a difficult procedure to proceed.

  • In case of replacing Secure Preferences Files, the adversary gathered certain information from the browser and produced a new file that runs browser start-up.
  • Next to that, to cover up the tasks done and to stop any windows from popping-up in front of the victim that could alert him/ her that something’s wrong with your browser which could be the actions of the extension, they used a second script.
  • As a result, the browser will run a listeners’ pair that will observe the types of activities happening on the browser in several browser tabs. The procedure for implementing this extension is different from each victim.


This kind of attack isn’t different from any other attacks of North Korean Attackers. However, at first, such attacks that involve malicious browser extensions seem to be used as a pawn to concrete the impact of the attack. It shows that the members of such groups are trying to enhance their tools and techniques that show them as potential threats.

Kindly read more articles :

Google Services in Great Danger in 2022! Want to know How?

Data on Twitter of millions of people was stolen in a drift

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?