Researchers at a cybersecurity company Proofpoint unearthed a new phishing and espionage campaign that has been targeting vulnerable Tibetan communities since March 2020. Attackers deployed a malicious Firefox extension which allowed them to control victims’ Gmail accounts.
“Threat actors aligned with the Chinese Communist Party’s state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users’ Gmail accounts,” Proofpoint said in an analysis.
Proofpoint named this malicious browser extension “FriarFox” and attributes it to TA413, a China-linked hacker group that earlier this year deployed other malware such as Scanbox and Sepulcher to Tibetan organizations.
The attackers’ goal, Proofpoint believes, was one of espionage and civil dissident surveillance.
The attack chain
The attack starts with a phishing email mimicking Tibetan Women’s Association sent from a TA413-linked Gmail account that’s been known to present itself as the Bureau of His Holiness the Dalai Lama in India.
The emails contain a malicious link to YouTube that in fact takes the user to a fake “Adobe Flash Player Update” landing page. This is where they prompt the user to install the malicious Firefox extension.
The extension that looks like an Adobe Flash-related tool is mostly based on a tool named “Gmail Notifier (restartless),” the researchers said. Hackers made significant alterations to add malicious capabilities to it.
The campaign is targeting only users of Firefox Browser who are logged in to their Gmail accounts, the researchers found. Once successful, bad actors get access to browser tabs and user data for all websites, and also the ability to search, read, delete, and even forward and send emails from the hacked Gmail account.
This is the latest atack in a whole series of campaigns that abuse the now defunct Adobe Flash Player which reached end-of-life on December 31, 2020. Yesterday, we reported on another malicious browser extension downloading malware in Adobe’s disguise.