Hackers use browser extensions to hijack the target’s Gmail account

Several organizations based in Tibet (China) have recently been targeted in a large-scale cyber espionage campaign deployed by a group of backed hackers, using a utility. Malicious extension on Firefox browser. This extension is designed to hijack Gmail accounts and infect the victim’s system with malware.

Initial investigation revealed that the attack was conducted by a hacker group with relatively close ties to China – TA413. Coordination activities have started in January and continue throughout February, according to a Proofpoint report released on February 25.

Notably, this malicious campaign has the presence of Scanbox, malicious code known for its ability to spy on information. Scanboxes can allow malicious agents to accurately capture a target’s data, and also record their keystrokes.

“Scanbox has been used in many campaigns since 2014 to target the Tibetan Migrant Community along with other ethnic minorities in China, “said Proofpoint experts.. “The malware also has the ability to track visitor data to specific websites, do logging, and collect user data that can be leveraged in future intrusion attempts.“.

Malicious extension FriarFox

According to Proofpoint’s findings, phishing emails sent by the attacker (TA413) to the target’s mailbox will redirect them to the “you-tube” domain.[.]tv ”is controlled by themselves. This domain was later shown disguised as a fake Adobe Flash Player Update landing page.

JavaScript configuration scripts executed from this domain will automatically prompt targets to install a malicious add-on called FriarFox if they are using the Firefox web browser and signed in to their Gmail account.

If the target uses any other web browser (other than Firefox), they will be redirected to a legitimate YouTube login page. If they are using Firefox but are not logged into their Gmail account, they will be asked to add this malicious FriarFox add-on to their browser.

FriarFox is based on the legitimate open-source Firefox extension Gmail Notifier, by altering its metadata icon and description to mimic the Flash update process. In addition, FriarFox also (intentionally) included malicious JavaScripts designed to hijack a victim’s Gmail account and infect their system with Scanbox malware.

When the victim is tricked into installing the FriarFox extension, the TA413 malicious agent will take over the Gmail account and use the victim’s Firefox browser to perform the following malicious actions:

For Gmail accounts:

• Search for an email
• Email archiving
• Get Gmail notifications
• Read email
• Change Firefox browser’s visual and audio alerts features for the FriarFox extension
• Label the email
• Mark email as spam
• Delete messages
• Refresh your inbox
• Email forwarding
• Delete messages from the Gmail trash
• Send mail from compromised account

For Firefox (based on browser permissions):

• Access user data for all websites.
• show notification
• Read and modify privacy settings
• Access browser tabs.

“The use of browser extensions to target users’ private Gmail accounts combined with the Scanbox malware distribution demonstrates TA413’s experience and expertise.”Concluded Proofpoint.