Seeing the two-stage certification and various technology factories and services, the detection mechanism for the activities of unknown locations and devices is becoming more and more perfect. It is also becoming more and more difficult to steal the monitoring method of email accounts and read related content through phishing. However, the road does not turn people (hackers) turn. Recently, an information security industry caught a malware that is still in its infancy, suspected to be developed by a North Korean-backed hacker group SharpTongue / Kimsuky, by installing browser extensions/add-ons/plug-ins that usually feel harmless , to monitor and even steal the contents of letters and files without logging into the victim’s account.
Because there is no login warning, this method makes it easier for people to “carry” sensitive information without knowing it (surprise, but my mailbox is full of spam). Continue reading The new Gmail monitoring method no longer insists on stealing accounts, but instead “carries” the content of your letter reports through a Chrome / Edge browser extension. 
▲ Image source: ArsTechnica
The new Gmail monitoring method no longer insists on stealing accounts, but instead uses Chrome / Edge browser extensions to “carry” your messages
Although everyone will want to say, then I don’t want to randomly install extensions for browsers developed based on Chromium. But “this” malware is actually quite clever. Basically, this malicious program called “SHARPEXT” may be triggered by accidentally opening certain files while surfing the Internet or receiving emails.
It doesn’t make you feel anything, or rather, it just wants you and your email service provider to not notice at all – the latter can be bypassed is actually very simple, because you are already logged in normally in the browser service. Gmail and AOL mail services, currently targeted by SHARPEXT, naturally don’t care what you’re looking at when you’re viewing emails in a browser.
After installing the browser extension, SHARPEXT will also monitor your browser by replacing the browser’s setting file and additionally executing scripts. The technology involved in this is actually quite cumbersome and meticulous. When it replaces the setting file, the Chromium series browser itself has a countermeasure mechanism – it will remind the user that the developer-related settings have been turned on. to close.
However, SHARPEXT will also try to obtain information to circumvent these mechanisms, thereby making these warning windows invisible to the user. And because these mechanisms are actually quite complicated, the information security company Volexity was able to catch this way of stealing data before the hacker organization was perfected.
Experts pointed out that although “currently” SHARPEXT only locks the Windows versions of Chrome, Edge, and the Whale browser, which is also based on Chromium, as monitoring targets. And at present, it should be mainly to monitor the US, Europe and South Korea’s strategically related issues such as nuclear bomb weapon systems to steal the content of the letter and the attached files. However, you must know that they judge that SHARPEXT is still in a very early stage where there are still many bugs (they will be caught).
As for whether the hacker group will expand the scope of monitoring keywords, or turn to other browsers and other targets, although it is unknown. But at least experts think there’s no reason SHARPEXT shouldn’t include browser development on macOS or Linux. So far, in addition to being careful not to open unsolicited files or installation files, Volexity also provides a mechanism to detect SHARPEXT-related activity, and to block the destination of the returned information in the first place. For more information on SHARPEXT, please refer to Volexity’s website for detailed instructions.
Further reading:
Gao Erxuan shares the behind-the-scenes story of the new song “Somebody Else” challenged underwater with the iPhone 13 Pro Max (Interview)