A new cyber-espionage campaign is targeting Tibetan organizations globally by deploying a malicious Mozilla Firefox browser extension in order to access and control users’ Gmail accounts. Named “FriarFox”, the browser extension appears to be the work of a China-linked advanced persistent threat (APT) tracked as TA413 focused on espionage and civil dissident surveillance that includes the Tibetan Diaspora.
According to researchers at Proofpoint, the campaign has been active since at least 2020 and also involved the Scanbox and Sepulcher malware in addition to the FriarFox extension.
In the observed attacks to compromise targets the hackers used a phishing email impersonating the “Tibetan Women's Association” containing a link directing potential victims to a fake Adobe Flash Player update-themed page, which runs several JavaScript scripts that deliver the FriarFox extension. However, the extension is delivered only if several conditions are met, specifically, if a user is using the Firefox browser and is utilizing Gmail in that browser.
Once the extension was installed, the threat actor gained access to the victim’s Gmail account and was able to perform various activities, such as search emails, archive messages, read emails, receive notifications, label emails, mark messages as spam, delete emails, refresh the inbox, forward emails, modify alerts in the browser, delete emails from the Trash folder, and send emails.
The researchers said that FriarFox appears to be based on “Gmail Notifier (restartless)”, a free tool that allows users to receive notifications and perform certain Gmail actions on up to five Gmail accounts that are actively logged in simultaneously.
“In recent campaigns identified in February 2021, browser extension delivery domains have prompted users to “Switch to the Firefox Browser” when accessing malicious domains using the Google Chrome Browser,” Proofpoint noted in its report.
In addition to the FriarFox browser extension, the attackers also utilized the Scanbox PHP and JavaScript-based reconnaissance framework, which is primarily used by Chinese APT’s and shared across multiple groups. The tool is capable of tracking visitors to specific websites, performing keylogging, and collecting user data that can be leveraged in future intrusion attempts.
“The introduction of the FriarFox browser extension in TA413’s arsenal further diversifies a varied, albeit technically limited repertoire of tooling. The use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities,” Proofpoint said. “While not conventionally sophisticated when compared to other active APT groups, TA413 combines modified open source tools, dated shared reconnaissance frameworks, a variety of delivery vectors, and very targeted social engineering tactics. The result is that this group finds mileage from previously disclosed tools like Scanbox and Royal Road by varying the method of their introduction to the victim environment. Apart from the custom toolsets observed in Exile Rat, Sepulcher, and other now dated implants, TA413 appears to be pivoting to modified open source tooling to compromise the global dissident organizations they have been tasked with surveilling.”