Chinese Hackers FriarFox’ed Firefox

Cybersecurity researchers today unwrapped a new campaign aimed at spying on vulnerable Tibetan communities globally by deploying a malicious Firefox extension on target systems using Gmail accounts

Chinese APT tracks as TA413, which has been previously attributed to attacks against the Tibetan diaspora by leveraging COVID-themed lures to deliver the Sepulcher malware with the strategic goal of espionage and civil dissident surveillance.

The infection chain begins with a phishing email impersonating the “Tibetan Women’s Association” using a TA413-linked Gmail account that’s known to masquerade as the Bureau of His Holiness the Dalai Lama in India contains a malicious URL supposedly a link to youtube takes user to a fake Adobe flash player update promoting user to install Friarfox extension

The rogue extension named “Flash update components” disguises itself as an Adobe Flash-related tool, but the researchers said it’s largely based on an open-source tool named “Gmail Notifier (restartless)” with significant alterations that add malicious capabilities, including incorporating modified versions of files taken from other extensions such as Checker Plus for Gmail.

It appears that the operation is targeting only users of Firefox Browser who are also logged in to their Gmail accounts, as the add-on is never delivered in scenarios when the URL in question is visited on a browser such as Google Chrome or in cases where the access happens via Firebox, but the victims don’t have an active Gmail session.

Besides having access to browser tabs and user data for all websites, the extension comes equipped with features to search, read, and delete messages and even forward and send emails from the compromised Gmail account.

FriarFox also contacts an attacker-controlled server to retrieve a PHP and JavaScript-based payload called Scanbox.

Scanbox is a reconnaissance framework that enables attackers to track visitors to compromised websites, capture keystrokes, and harvest data that could be used to enable follow-on compromises. It has also been reported to have been modified in order to deliver second-stage malware on targeted hosts.

The introduction of the FriarFox browser extension in TA413’s arsenal points to APT actors’ “insatiable hunger” for access to cloud-based email accounts,

“Almost any other account password can be reset once attackers have access to someone’s email account. Threat actors can also use compromised email accounts to send email from that account using the user’s email signature and contact list, which makes those messages extremely convincing.”