Thursday, December 26, 2024
HomeCyber Security NewsMalicious Firefox Extension that Allows Attackers to Access and Control Users’ Gmail...

Malicious Firefox Extension that Allows Attackers to Access and Control Users’ Gmail Accounts

Published on

SIEM as a Service

Proofpoint Threat Research has tracked low-volume phishing campaigns targeting Tibetan organizations globally. In January and February 2021, experts observed threat actors aligned with the Chinese Communist Party’s state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users’ Gmail accounts.

Proofpoint has named this malicious browser extension “FriarFox” and attributes this activity to TA413, who in addition to the FriarFox browser extension, was also observed delivering both Scanbox and Sepulcher malware to Tibetan organizations in early 2021.

The previously reported Sepulcher malware and its links to the Lucky Cat and Exile Rat malware campaigns targeted Tibetan organizations.

- Advertisement - SIEM as a Service

Phishing Email

A phishing email was detected which targeted several Tibetan organizations in late January 2021. The email imitated the “Tibetan Women’s Association” in the From field and utilized the email subject “Inside Tibet and from the Tibetan exile community”.

The email was delivered from a known TA413 Gmail account that has been in use for several years, which imitates the Bureau of His Holiness the Dalai Lama in India. The email contained the following malicious URL that impersonated YouTube: hxxps://you-tube[.]tv/ 

Once the URL is clicked, lead to a fake “Adobe Flash Player Update” themed landing page which executes several JavaScript (“JS”) files that profile the user’s system.

These scripts determine whether to deliver the malicious FireFox Browser extension (“.XPI” file) that Proofpoint has named “FriarFox”. XPI files are compressed installation archives used by various Mozilla applications and contain the contents of a FireFox browser extension.

The use of landing pages for JS redirection is a technique commonly used in watering hole attacks. In this case, the domain is controlled by the threat actors, and the redirection is obtained via a malicious URL contained within a phishing email. 

Threat actors appear to be targeting users that are utilizing a Firefox Browser and are utilizing Gmail in that browser. The user must access the URL from a FireFox browser to receive the browser extension.

Additionally, it appeared that the user must be actively logged in to a Gmail account with that browser to successfully install the malicious XPI file.

After the installation of the FriarFox browser extension, threat actors gain the following access to the user’s Gmail account and FireFox browser data included below.

Gmail Access: Search emails, Archive emails, Receive Gmail notifications, Read emails, Alter FireFox browser audio and visual alert features for the FriarFox extension, Label emails, Marks emails as spam, Delete messages, Refresh inbox, Forward emails, Perform function searches, Delete messages from Gmail trash, Send mail from the compromised account.

FireFox Browser Access – (Based on Granted browser permissions): Access user data for all websites, Display notifications, Read and modify privacy settings, Access browser tabs.

FriarFox Browser Extension

It is largely based on an open-source tool named “Gmail Notifier (restartless)”. This is a free tool available on Github, the Mozilla Firefox Browser ADD-ONS store, and the QQ App store among other locations.

It allows users to receive notifications and perform certain Gmail actions on up to five Gmail accounts that are actively logged in simultaneously. FriarFox has been the only browser instance identified targeting FireFox browsers as an XPI file.

In recent campaigns identified in February 2021, browser extension delivery domains have prompted users to “Switch to the Firefox Browser” when accessing malicious domains using the Google Chrome Browser.

The threat actors hide FriarFox’s existence and their usage of the tool by altering the following: 

  • The PNG file icon appears as an Adobe Flash icon in the browser extension menu, replacing the Gmail icon from the standard Gmail Notifier tool.   
  • The extension metadata description supports its appearance as a Flash update providing the description displayed in the browser extension menu.   
  • All audio and visual browser alerts are set not to alert active users after the time of installation. This conceals FriarFox’s existence and threat actors’ usage from the affected victims.  

ScanBox Malware

Scanbox is a PHP and JavaScript-based reconnaissance framework that dates to 2014. Its usage of PHP and JS enables a file-less malware approach when targeting victims’ hosts. Scanbox is primarily used by Chinese APT’s and shared across multiple groups.

Scanbox has been used in numerous campaigns to target the Tibetan Diaspora along with other ethnic minorities often targeted by groups aligned with the Chinese state interests. The tool is capable of tracking visitors to specific websites, performing keylogging, and collecting user data that can be leveraged in future intrusion attempts.

Conclusion

TA413 appears to be modulating their tools and techniques while continuing to rely on proven social engineering techniques. TA413 combines modified open-source tools, dated shared reconnaissance frameworks, a variety of delivery vectors, and very targeted social engineering tactics.

The result is that this group finds mileage from previously disclosed tools like Scanbox and Royal Road by varying the method of their introduction to the victim environment.

TA413 appears to be pivoting to modified open source tooling to compromise the global dissident organizations they have been tasked with surveilling. Unlike many APT groups, the public disclosure of campaigns, tools, and infrastructure has not led to significant TA413 operational changes.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from...

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from...

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...