346 total views
Several organizations based in Tibet (China) have recently been targeted in a large-scale cyber espionage campaign deployed by a group of backed hackers, using a utility. Malicious extension on Firefox browser. This extension is designed to hijack Gmail accounts and infect the victim’s system with malware.
Initial investigation revealed that the attack was conducted by a hacker group with relatively close ties to China – TA413. Coordination activities have started in January and continue throughout February, according to a Proofpoint report released on February 25.
Notably, this malicious campaign has the presence of Scanbox, malicious code known for its ability to spy on information. Scanboxes can allow malicious agents to accurately capture a target’s data, and also record their keystrokes.
“Scanbox has been used in many campaigns since 2014 to target the Tibetan Migrant Community along with other ethnic minorities in China, “said Proofpoint experts.. “The malware also has the ability to track visitor data to specific websites, do logging, and collect user data that can be leveraged in future intrusion attempts.“.
Malicious extension FriarFox
According to Proofpoint’s findings, phishing emails sent by the attacker (TA413) to the target’s mailbox will redirect them to the “you-tube” domain.[.]tv ”is controlled by themselves. This domain was later shown disguised as a fake Adobe Flash Player Update landing page.
If the target uses any other web browser (other than Firefox), they will be redirected to a legitimate YouTube login page. If they are using Firefox but are not logged into their Gmail account, they will be asked to add this malicious FriarFox add-on to their browser.
When the victim is tricked into installing the FriarFox extension, the TA413 malicious agent will take over the Gmail account and use the victim’s Firefox browser to perform the following malicious actions:
For Gmail accounts:
- Search for an email
- Email archiving
- Get Gmail notifications
- Read email
- Change Firefox browser’s visual and audio alerts features for the FriarFox extension
- Label the email
- Mark email as spam
- Delete messages
- Refresh your inbox
- Email forwarding
- Delete messages from the Gmail trash
- Send mail from compromised account
For Firefox (based on browser permissions):
- Access user data for all websites.
- show notification
- Read and modify privacy settings
- Access browser tabs.
“The use of browser extensions to target users’ private Gmail accounts combined with the Scanbox malware distribution demonstrates TA413’s experience and expertise.”Concluded Proofpoint.
#Hackers #browser #extensions #hijack #targets #Gmail #account