Malicious Firefox Extension Allows Hackers to Take Control of Gmail Accounts
A newly discovered, malicious Firefox extension, FriarFox, is being used to take control of victims’ Gmail accounts. The threat campaign, first observed in January of this year, has targeted Tibetan organizations, and is believed to be tied to the TA413 APT group that researchers believe are backed by the Chinese government. The group behind this attack aims to gather information on victims by snooping in on their Firefox browser data and Gmail messages, said researchers.
After installation, FriarFox gives cybercriminals various types of access to users’ Gmail accounts and Firefox browser data. For instance, cybercriminals have the ability to search, read, label, delete, forward and archive emails, receive Gmail notifications and send mail from the compromised account. And, given their Firefox browser access, they could access user data for all websites, display notifications, read and modify privacy settings, and access browser tabs.
The attack stemmed from phishing emails, first detected in late January, targeting several Tibetan organizations. One of the emails uncovered by researchers pretended to be from the “Tibetan Women’s Association,” which is a legitimate group based in India. The subject of the email was: “Inside Tibet and from the Tibetan exile community.”
Researchers noted that the emails were delivered from a known TA413 Gmail account, which has been in use for several years. The email impersonates the Bureau of His Holiness the Dalai Lama in India, said researchers.
The email contained a malicious URL, which impersonated a YouTube page (hxxps://you-tube[.]tv/). This link took recipients to a fake Adobe Flash Player update-themed landing page, where the process of downloading the malicious browser extension begins. The malicious “update” page then executes several JavaScript files, which profile the user’s system and determine whether to deliver the malicious FriarFox extension; the installation of FriarFox depends on several conditions.
“Threat actors appear to be targeting users that are utilizing a Firefox Browser and are utilizing Gmail in that browser,” researchers from Proofpoint said. “The user must access the URL from a Firefox browser to receive the browser extension. Additionally, it appeared that the user must be actively logged in to a Gmail account with that browser to successfully install the malicious XPI [FriarFox] file.”
TA413 has been associated with Chinese state interests and is known for targeting the Tibetan community. As recently as September, the China-based APT was sending organizations spear-phishing emails that distribute a never-before-seen intelligence-collecting RAT dubbed Sepulcher.
Further Reading: