Hackers backed by North Korea have devised a clever method to read your Gmail

North Korean hackers are reading and downloading email and attachments from infected users’ Gmail and AOL accounts using never-before-seen malware.

The malware, dubbed SHARPEXT by Volexity researchers, uses devious methods to install a browser extension for Chrome and Edge browsers.

It is targeting organisations in the United States, Europe, and South Korea that work on nuclear weapons and other issues important to North Korea’s national security.

Attackers must first obtain a duplicate of the resources.

The browser’s pak file (which contains the HMAC seed used by Chrome).

The script looks for a specific keyword in the tab title (for example, ‘05101190’ or ‘Tab+’ depending on the SHARPEXT version).

DevTools is enabled on the active tab at the end of this process, but the window is hidden.

If extensions are running in developer mode, Microsoft Edge will display a warning message to the user on a regular basis.

The SHARPEXTRA extension can make the following requests on a victim’s computer:

Upload AOL data to the remote server, add a domain to the victim’s list of all domains visited, and upload a list of attachments to be exfiltrated.

According to Volexity, the threat posed by this malware has grown over time and is unlikely to go away anytime soon.