The malicious extension, FriarFox, snoops in on both Firefox and Gmail-related data.
A newly uncovered cyberattack is taking control of victims’ Gmail accounts, by using a customized, malicious Mozilla Firefox browser extension called FriarFox. Researchers say the threat campaign, observed in January and February, targeted Tibetan organizations and was tied to TA413, a known advanced persistent threat (APT) group that researchers believe to be aligned with the Chinese state. The group behind this attack aims to gather information on victims by snooping in on their Firefox browser data and Gmail messages. After installation, FriarFox gives cybercriminals various types of access to users’ Gmail accounts and Firefox browser data. For instance, cybercriminals have the ability to search, read, label, delete, forward and archive emails, receive Gmail notifications and send mail from the compromised account. And, given their Firefox browser access, they could access user data for all websites, display notifications, read and modify privacy settings, and access browser tabs.
The introduction of the FriarFox browser extension in TA413’s arsenal further diversifies a varied, albeit technically limited repertoire of tooling. The use of browser extensions to target the private Gmail accounts of users, combined with the delivery of Scanbox malware, demonstrates the malleability of TA413 when targeting dissident communities.
The Cyberattack: Stemming From Malicious Emails
The attack stemmed from phishing emails (first detected in late January), targeting several Tibetan organizations. One of the emails uncovered by researchers purported to be from the “Tibetan Women’s Association,” which is a legitimate group based in India. The subject of the email was: “Inside Tibet and from the Tibetan exile community.” Researchers noted that the emails were delivered from a known TA413 Gmail account, which has been in use for several years. The email impersonates the Bureau of His Holiness the Dalai Lama in India, said researchers. The email contained a malicious URL, which impersonated a YouTube page (hxxps://you-tube[.]tv/). In reality, this link took recipients to a fake Adobe Flash Player update-themed landing page, where the process of downloading the malicious browser extension begins.
Fake Adobe Flash Player Page and FriarFox Download
FriarFox Browser Extension: Malicious Capabilities
Frankenstein Computers has been taking care of our happy clients since 1999. We specialize in IT Support, IT Service, IT Security MAC repair,
PC Repair, Virus Removal, and much more. Give us a call for remote support or drop in to drop off.