The extension can't be detected by the email services, and since the browser has already been authenticated using any multifactor authentication protections in place, this increasingly popular security measure plays no role in reining in the account compromise.Volexity President Steven Adair said in an email that the extension gets installed "by way of spear phishing and social engineering where the victim is fooled into opening a malicious document.
Previously we have seen DPRK threat actors launch spear phishing attacks where the entire objective was to get the victim to install a browser extension vs it being a post exploitation mechanism for persistence and data theft." In its current incarnation, the malware works only on Windows, but Adair said there's no reason it couldn't be broadened to infect browsers running on macOS or Linux, too.The blog post added: "Volexity's own visibility shows the extension has been quite successful, as logs obtained by Volexity show the attacker was able to successfully steal thousands of emails from multiple victims through the malware's deployment.".Installing a browser extension during a phishing operation without the end-user noticing isn't easy.After modifying the preference files, SHARPEXT automatically loads the extension and executes a PowerShell script that enables DevTools, a setting that allows the browser to run customized code and settings."The script runs in an infinite loop checking for processes associated with the targeted browsers," Volexity explained.
"If any targeted browsers are found running, the script checks the title of the tab for a specific keyword (for example' 05101190,' or 'Tab+' depending on the SHARPEXT version).