According to Volexity, SHARPEXT infects devices via browser extension installation. The malware campaign supports Google Chrome, Microsoft Edge and Naver Whale, and it’s targeting users US, Europe and South Korea. Investigators tracked its origin to a North Korean-backed hacking group publicly known as “Kimsuky.”
SHARPEXT is a silent spy
You may be wondering, “How do I know if my device is infected with SHARPEXT?” Unfortunately, this malicious infiltrator is difficult to detect. “By stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging” the Volexity report said. To make matters worse, there is no conspicuous malicious coding present in the extension itself, which makes it difficult for antivirus scanners to flag it. Volexity President Steven Adair told Ars Technica that victims are fooled into opening SHARPEXT-packed malicious programs via social engineering and “spear phishing,” a tactic that involves masquerading as a trusted source to bait victims into clicking malware-infested content. The SHARPEXT malware campaign, which has been around for “well over a year,” managed to steal thousands of emails from numerous victims so far. Adding to the creep factor, Volexity researchers said that “a dedicated folder for the infected user is created containing the required files for the extension.” In other words, once you become a SHARPEXT victim, a file is created — just for you — to keep track of your email data. Eek! To dodge SHARPEXT, Volexity suggests blocking the indicators of compromise (IOCs) which they’ve compiled on Github (opens in new tab). The cybersecurity firm also recommends periodically reviewing your browser extensions to keep suspicious malware at bay. Be sure to check out our best antivirus apps, too. You can never be too safe.