Cybersecurity researchers today unwrapped a new campaign aimed at spying on vulnerable Tibetan communities globally by deploying a malicious Firefox extension on target systems.
“Threat actors aligned with the Chinese Communist Party’s state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users’ Gmail accounts,” Proofpoint said in an analysis.
The Sunnyvale-based enterprise security company pinned the phishing operation on a Chinese advanced persistent threat (APT) it tracks as TA413, which has been previously attributed to attacks against the Tibetan diaspora by leveraging COVID-themed lures to deliver the Sepulcher malware with the strategic goal of espionage and civil dissident surveillance.
The researchers said the attacks were detected in January and February 2021, a pattern that has continued since March 2020.
The infection chain begins with a phishing email impersonating the “Tibetan Women’s Association” using a TA413-linked Gmail account that’s known to masquerade as the Bureau of His Holiness the Dalai Lama in India.
The emails contain a malicious URL, supposedly a link to YouTube, when in fact, it takes users to a fake “Adobe Flash Player Update” landing page where they are prompted to install a Firefox extension that Proofpoint calls “FriarFox.”
For its part, the rogue extension — named “Flash update components” — disguises itself as an Adobe Flash-related tool, but the researchers said it’s largely based on an open-source tool named “Gmail Notifier (restartless)” with significant alterations that add malicious capabilities, including incorporating modified versions of files taken from other extensions such as Checker Plus for Gmail.
The timing of this development is no coincidence, as Adobe officially began blocking Flash content from running in browsers starting January 12. The rich multimedia format reached end-of-life on December 31, 2020.
Interestingly, it appears that the operation is targeting only users of Firefox Browser who are also logged in to their Gmail accounts, as the add-on is never delivered in scenarios when the URL in question is visited on a browser such as Google Chrome or in cases where the access happens via Firebox, but the victims don’t have an active Gmail session.
“In recent campaigns identified in February 2021, browser extension delivery domains have prompted users to ‘Switch to the Firefox Browser’ when accessing malicious domains using the Google Chrome Browser,” the researchers said.
Besides having access to browser tabs and user data for all websites, the extension comes equipped with features to search, read, and delete messages and even forward and send emails from the compromised Gmail account.
Additionally, FriarFox also contacts an attacker-controlled server to retrieve a PHP and JavaScript-based payload called Scanbox.
Scanbox is a reconnaissance framework that enables attackers to track visitors to compromised websites, capture keystrokes, and harvest data that could be used to enable follow-on compromises. It has also been reported to have been modified in order to deliver second-stage malware on targeted hosts.
Campaigns using Scanbox were previously spotted in March 2019 by Recorded Future targeting visitors to the website of Pakistan’s Directorate General of Immigration and Passports (DGIP) and a fake typosquatted domain claiming to be the official Central Tibetan Administration (CTA).
The introduction of the FriarFox browser extension in TA413’s arsenal points to APT actors’ “insatiable hunger” for access to cloud-based email accounts, says Sherrod DeGrippo, Proofpoint’s senior director of threat research and detection.
“The complex delivery method of the tool […] grants this APT actor near total access to the Gmail accounts of their victims, which is especially troubling as email accounts really are among the highest value assets when it comes to human intelligence,” DeGrippo noted.
“Almost any other account password can be reset once attackers have access to someone’s email account. Threat actors can also use compromised email accounts to send email from that account using the user’s email signature and contact list, which makes those messages extremely convincing.”