Access to the e-mail inbox is the jackpot for a hacker. No wonder that the mail providers rely on all kinds of security measures. Now a method has been found to bypass them all. The trail leads to North Korea.

If there’s one account that should never be corrupted, it’s probably the mail account. Of course, most emails tend to fall into the categories of newsletters, advertising and spam. But when push comes to shove, the mail account is the key to all others: after all, it allows all other passwords to be reset. A new piece of malware can now simply read the entire mail account – including attachments.

This has been discovered by researchers at the security company Volexity. In a blog post, they describe the pest, which has not been observed in this form before. The attackers use a clever trick. Instead of logging into email accounts with stolen credentials, they hijack browsers with a malicious extension. In this way, you can not only change passwords, but also easily override additional protective measures such as two-factor authentication.

Top target group

The hackers take advantage of various previously known methods of installing extensions in the browser against the will of the person concerned. The basis for the attacks are targeted phishing attacks tailored to the user, so-called spear phishing. They foist a file on the victim that installs the malware unnoticed. It then begins to download all e-mails without the user noticing.

Currently, the target group for the attack still seems to be very small. The apparently responsible hacker group “SharpTounge”, which is associated with the North Korean regime, is looking for its victims around the world, Veloxity reports of attacks in the USA, Europe and South Korea. However, she apparently has a very specific goal in mind: So far, all infections with Sharptext that have been discovered can be observed in institutions that deal with nuclear issues, weapons technology and other topics relevant to North Korea, according to the researchers.

Everything points to success

This is also reflected in the behavior of the pest. Sharpext, which has so far only been observed for Windows and the Chrome, Edge and Whale browsers (a South Korean program based on the Chromium engine), is primarily designed to access data from the infected mailboxes as undetected and as long-term as possible. It also tricks the browser itself: Microsoft’s Edge browser, for example, regularly displays warnings if an extension is active in so-called Dev mode, which allows it special rights. Sharpext therefore constantly checks whether Edge is trying to open such a warning window – and simply hides it again in fractions of a second.

The program is also surprisingly picky when it comes to reading e-mails, if the hackers want it that way. Sharpext can list addresses it doesn’t care about and maintains a meticulous list of emails and attachments it’s already tapped.

In addition, the program is apparently constantly being developed. While it was still quite simple when it was discovered, the hackers have now reached the internal version 3 – with a significantly larger range of features. The security researchers therefore assume that the threat will not simply disappear: “The latest updates and constant maintenance indicate that the attackers are achieving their goals. And see added value in continuing and refining the program.”


Also read:

How Kim Jong Un’s cyberarmy brings millions to the regime

False flag attack: Google exposes North Korea’s clever hacking campaign

“Hidden Cobra”: FBI launches attack against North Korea’s hackers – and is breaking new ground

Bitcoin and iTunes vouchers: This is how North Korean hackers wash their loot of millions