Gmail: New malware bypasses passwords and 2FA system to read all emails

In terms of protection, Gmail has a well-developed system with the strengthening of login information and the activation of two-step verification. However, security experts have uncovered evidence of a state-sponsored group of hackers who have figured out a way to circumvent these protections.

A group of North Korean hackers can access Gmail without compromising login credentials.

According to cybersecurity firm Volexity, the North Korean hacker group dubbed “Sharp Tongue,” which appears to be linked to the Kimsuky hacker group, is deploying malware by the name of SHARPEXT which no longer needs your Gmail login information.

This malware “directly inspects and exfiltrates data” from a Gmail account when the victim browses there. This rapidly evolving threat (Volexity says it’s already at version 3.0), can steal emails from Gmail and AOL accounts and works on three browsers: Google Chrome, Microsoft Edge and Whale.

According to Cybersecurity and Infrastructure Security Agency (CISA, US Cybersecurity and Infrastructure Security Agency), Kimsuky’s hackers are “most likely mandated by the North Korean regime. »

CISA reports that the Kimsuky group has been operating since 2012, and is “most likely tasked by the North Korean regime with a global intelligence-gathering mission.” »

While CISA estimates that the Kimsuky group most often targets people and organizations in South Korea, Japan, and the United States, Volexity reports that the SharpTongue group has often been caught targeting South Korea, the United States and Europe. The common denominator between these two groups is that the victims “often work on matters involving North Korea, nuclear issues, weapons systems and other strategic interests for North Korea. »

What is specific about SHARPEXT malware?

The SHARPEXT malware differs from previous browser extensions deployed by hacker groups in that it does not attempt to obtain login credentials, but bypasses them and can grab email data as it goes. that the user reads them.

The good news is that your system must be compromised before this malware can be deployed. Unfortunately, compromising a system isn’t as difficult as it should be.

Once a system has been compromised by phishing, malware, unpatched vulnerabilities, or the like, hackers can install the extension using a malicious VBS script that overrides system preference files. Once that’s done and the extension is running in the background, the malware is hard to detect. The user logs into their Gmail account from their normal browser on the expected system.

SHARPEXT malware reads Gmail emails without triggering Google’s Unusual Use protections.

There is nothing to alert Google and the user that someone has logged into Gmail from another browser, another device, or another location. Bypassing this protection is crucial, because it means that hackers can have access to your emails for a long time: they will be able to read all your received and sent emails as if they were the user himself.

To detect and investigate a SHARPEXT attack, Volexity recommends enabling and analyzing PowerShell ScriptBlock logging, as PowerShell plays a key role in configuring and installing the malware. Regularly check for installed extensions, especially ones that you don’t recognize or aren’t available in the Chrome Web Store.

However, an average user should not worry too much, because the victims of this group of hackers will be specifically targeted. Of course, if you work in a field that might interest them, you are in the crosshairs.

A SHARPEXT threat assessment was conducted by a former military and police intelligence analyst.

Ian Thornton Trump is Chief Information Officer (CISO) at Cyjax and a Cyber ​​Threat Intelligence Specialist. A former criminal intelligence analyst with the Royal Canadian Mounted Police and having also served in the military intelligence branch of the Canadian Forces, he is well placed to assess this type of alleged nation-state-aligned threat.

“It’s interesting to me for several reasons. First of all, I think North Korea is trying to be more proactive and more threatening, because the world’s attention is much more focused on the geopolitical ambitions of Russia and China. North Korea no longer receives the attention it once had. North Korea’s nuclear weapons threat, missile tests and cyberattacks have been reduced to little more than background noise as attention shifts to the pandemic, war in Europe and global climate change “, explains Ian Thornton-Trump.

While confirming that malicious browser extensions aren’t new to North Korea-linked hacker groups, Ian Thornton-Trump admitted to being somewhat surprised that the threat isn’t focused on ransomware or malware. cryptocurrency wallets. “North Korea remains an internationally pariah state when it comes to accessing financial services, and it has survived through the efficient operation of cryptocurrency exchanges and wallets to support its economy” , says Ian Thornton-Trump.

The direct targeting of Gmail content is likely spying-oriented.

Regarding SHARPEXT, Ian Thornton-Trump agrees that directly targeting Gmail content displayed in a web browser is much more geared towards espionage: “It could be seen as a change in tactics, but attacks by emails have a broad impact and are perfect for lateral movement to third-party applications as well as accessing sensitive information.”

Once the host has been compromised, Ian Thornton-Trump explains that it would be interesting to know if the threat actor went into listen-only mode via exfiltration or pivoted to active exploitation.

“You would think that today, the protections built into the Microsoft operating system, extended detection and response (XDR) and endpoint detection and response (EDR), as well as protection against browser malware in the Windows version of Chrome, would easily prevent these attacks, especially on workstations where one might think that PowerShell activities are rare for most users in malware-affected organizations,” concludes Ian. Thornton Trump.

Article translated from Forbes US – Author: Davey Winder

<<< Read also: Cybersecurity: The six main risks to which small businesses are exposed >>>

Leave a Comment