North Korean hacker working with laptop showing malicious Chrome extension stealing Gmail emails

North Korean Hackers Are Stealing Gmail Emails Using a Malicious Chrome Extension

German and South Korean authorities have published a joint cybersecurity advisory about a North Korean threat actor stealing Gmail emails via a malicious Chrome extension.

According to German Bundesamt für Verfassungsschutz (BfV) and the National Intelligence Service of the Republic of Korea (NIS), the attack begins with a spear-phishing campaign convincing the target to install the malicious extension via a link.

The authorities also documented the North Korean hackers exploiting Google Play’s synchronization function to install Android malware.

Malicious Chrome extension abuses DevTools API to steal Gmail emails

The joint cybersecurity advisory attributed the campaign to North Korean hackers Kimsuky, also known as Thallium or Velvet Chollima.

Named “AF,” the malicious Chrome extension runs on Chromium-based browsers such as Google Chrome, Microsoft Edge, and Brave. However, it does not automatically appear on the extensions list and only appears after visiting the “chrome|edge|brave://extensions” page.

The malicious Chrome extension activates and extracts the victims’ Gmail emails when they visit their account via the infected browser. It then sends them to the threat actor’s server by abusing the DevTools API to bypass security.

Although the campaign targets victims in South Korea, the threat actor could use the same tactics to target individuals working for organizations in the US, Europe, and other parts of the world.

A sister hacking campaign leverages a malicious Android app

The joint cybersecurity advisory also discovered another campaign leveraging a malicious Android app to steal user information.

The attacker logs into the victim’s Google account they previously exploited through phishing emails and other methods. They then abused Google Play’s web-smartphone synchronization function to install a remote access trojan (RAT).

Having registered the malicious app for internal testing, they submit the victim’s smartphone as a test device and initiate the app installation process. Once installed, the trojan allows the hackers to manage and steal files and contacts, monitor SMS, make calls, access the camera, view the desktop, and log keystrokes.

BfV and NIS advised users to protect their Google accounts with two-factor authentication and take precautions when opening emails to prevent initial exploitation.

Kimsuky’s history of using malicious browser extensions

This is hardly the first time the North Korean hacking group has targeted individuals who work on topics involving North Korea and the larger Korean peninsula with malicious Chrome extensions.

In 2021, cybersecurity firm Volexity discovered a similar campaign by Kimsuky, tracked as ‘SharpTongue,’ leveraging a browser extension ‘SHARPEXT.’

The campaign targeted individuals working on “topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.” It leveraged the malicious Chrome extension to steal thousands of emails from Gmail and AOL from high-value targets in the United States, Europe, and South Korea. The extension could run on Google Chrome, Microsoft Edge, and Naver Whale browsers.

According to the researchers, that was the first time they observed a threat actor using a malicious extension during an attack’s post-exploitation phase.

Stealing Gmail emails via a stealth malicious Chrome extension obscures the threat actor’s activity from Google, making the attack difficult to stop. Additionally, the strategy saves the threat actor the trouble of bypassing login and two-factor authentication to access Gmail emails. The threat actor did not steal any usernames or passwords during the hacking campaign.

“This joint cybersecurity advisory emphasizes the continued development of threat actors utilizing spear-phishing tactics to conduct espionage against specific targets,” said Joe Gallop, Cyber Threat Intelligence Manager at Cofense. “According to the report, the threat actor sends a phishing email to trick targets into installing a malicious extension in Chromium-based browsers, which in turn enables the threat actor to steal a target’s Gmail emails.”

Gallop advises organizations to be proactive in security to identify cyber threats that might compromise users’ Gmail emails.

“It is crucial to take the appropriate actions to safeguard inboxes, identify dangers, and react to an attack as phishing campaigns continue to increase in frequency,” Gallop said. “Implementing actionable intelligence will help keep hostile actors at bay and maintain the protection of sensitive data by providing visibility into the risk variables in your network and prompt, decisive responses to phishing threats.”