A new modus operandi has been created by North Korean hackers to spy on PCs around the world, including the United States and Europe. Watch your Chrome extensions very closely!
Hackers working on behalf of North Korea have come up with a clever way to gain access to their victims’ Gmail messages. Via an elaborate phishing campaign, they manage to install an extension for Chrome and for Edge, both of which can accommodate the same extensions (these are two browsers running on the Chromium engine).
The first nuclear installations targeted
Once the extension is downloaded and installed, the viral load of the malware can spread in the PC. The latter in particular executes a Powershell script which allows it to execute arbitrary code by activating the DevTools, a set of tools normally intended for developers.
The malware is able to detect all processes related to web browsers, including tabs and their titles. As soon as a keyword appears in the tab title, the malware can extract everything found in the web page. According to Volexity, which first spotted the software, it seeks to collect login information for Gmail accounts.
It is also able to avoid the effort of searching through a web page by adding addresses to a blacklist. According to security researchers, the extension has been around for more than a year, and specifically targets government agencies in South Korea, the United States, and Europe. Pirates are more specifically interested in nuclear installations…
The extension in question is obviously not available in the official Chrome store. The campaign of phishing precisely aims to trick victims into installing it of their own free will. For these reasons, it is difficult to guard against it, so as always, caution and distrust are therefore more important than ever!
Bitdefender Plus Antivirus