Cybersecurity investigators today unveiled a new campaign aimed at spying on vulnerable Tibetan communities globally by using Firefox’s malicious extension of target systems.
“Threat actors aligned with the Chinese Communist Party state interests achieved a modified malicious Mozilla Firefox browser extension that facilitated access and control of users’ Gmail accounts,” Proofpoint said in an analysis.
Enterprise security company Sunnyvale pinned the Chinese advanced continuous threat (APT) phishing operation it tracks as TA413, previously attributed to attacks against the Tibetan diaspora by triggering COVID-themed broadcasts to supply Sepulcher malicious software with the strategic. the goal of espionage and civil disobedience surveillance.
Investigators said the attacks were detected in January and February 2021, a pattern that has continued since March 2020.
The infection chain begins with a phishing email imitating “Tibetan Women’s Association” using a TA413 linked Gmail account known to be a masquerade as the Office of His Holiness the Dalai Lama in India.
The emails include a malicious URL, supposedly a link to YouTube, when it takes users to a fake “Adobe Flash Player Update” landing page where they are prompted to install a Firefox extension that Proofpoint accesses called “FriarFox.”
For its part, the rogue extension – called “Flash update components” – disguises itself as a tool related to Adobe Flash, but the researchers said it was largely based on a tool an open source called “Gmail Notifier (restartless)” with significant changes that add malicious capabilities, including incorporating modified versions of files taken from other extensions like Checker Plus for Gmail.
The timing of this development is no coincidence, as Adobe officially started blocking Flash content from running in browsers starting January 12 following the end of the rich multimedia format on December 31, 2020.
Interestingly, the operation seems to target only Firefox Browser users who are also logged in to their Gmail accounts, as the addition is never provided in scenarios when the URL in question is visited on a browser like Google Chrome or in cases where the access occurs via Firefox, but the victims do not get an active Gmail session.
“In recent campaigns cited in February 2021, browser extension delivery domains have prompted users to ‘Switch to the Firefox Browser’ when accessing malicious domains using Google Chrome Browser,” the researchers said.
Once installed, the extension, besides accessing browser tabs and user data for all websites, includes features to search, read and delete messages and even forward and send emails from threatened Gmail account.
Scanbox is an exploratory framework that enables attackers to track visitors to compromised websites, capture hits, and harvest data that could be used to enable subsequent compromises. It was also reported to have been modified to provide malicious second-stage software to targeted guests.
Campaigns using Scanbox were previously seen in March 2019 by Recorded Future targeting visitors to the Pakistan Directorate-General for Immigration and Passports (DGIP) and a typed fake domain purporting to be the official Central Tibetan Administration (CTA).
The introduction of the FriarFox browser extension in the TA413 arsenal points to APT actors’ “insatiable hunger” for accessing cloud-based email accounts, said Sherrod DeGrippo, Proofpoint’s senior director of research and threat detection.
“The instrument’s complex delivery method […] gives this APT actor almost complete access to their victims’ Gmail accounts, which is particularly upsetting as email accounts are actually among the highest value assets of human intelligence, “DeGrippo noted.
“Almost any other account password can be reset once attackers are able to access someone’s email account. Threatened actors can also use threatened email accounts to send email from that account using email signature and list user contact, which makes those messages extremely convincing. “