Hacker uses browser extension to take over target's Gmail account

Several organizations based in Tibet (China) have recently been targeted in a large-scale cyber espionage campaign deployed by a group of hackers backed by a utility. malicious extension on Firefox browser. This extension is designed to take over Gmail accounts and infect the victim's system with malware.

Initial investigation showed that this attack campaign was conducted by a hacker group with relatively close ties to China - TA413. Coordination activities began in January and continued throughout February, according to a Proofpoint report published on February 25.

Notably, this malicious campaign featured Scanbox, a malicious code known for its ability to spy on information. Scanbox can allow malicious actors to accurately collect data of the target, and also record their keystrokes.

"Scanbox has been used in multiple campaigns since 2014 to target the Tibetan immigrant community along with other ethnic minorities in China," the Proofpoint experts said. "This malware is also capable of tracking visitor data to specific websites, performing logging and collecting user data that can be leveraged in future intrusion attempts." .

Hacker uses browser extension to take over target's Gmail account Picture 1

FriarFox . Malicious Extension

As detected by Proofpoint, phishing emails sent by attackers (TA413) to the target's mailboxes redirect them to a 'you-tube[.]tv' domain controlled by themselves. The domain is then displayed disguised as a fake Adobe Flash Player Update landing page.

JavaScript configuration scripts executed from this domain will automatically prompt targets to install a malicious add-on called FriarFox if they are using the Firefox web browser and signed in to their Gmail account.

If the target uses any other web browser (not Firefox), they will be redirected to the legitimate YouTube login page. If they're using Firefox but aren't signed in to their Gmail account, they'll be asked to add this malicious FriarFox add-on to their browser.

FriarFox was developed on top of the legitimate open source Firefox Notifier extension, by changing its icon and description metadata to mimic the Flash update process. In addition, FriarFox also attached (in an intentional manner) malicious JavaScripts designed to take over the victim's Gmail account and infect their system with Scanbox malware.

When a victim is tricked into installing the FriarFox extension, the TA413 malicious actors take over the victim's Gmail account and use the victim's Firefox browser to perform the following malicious actions:

For Gmail accounts:

1. Search email
2. Email archiving
3. Get Gmail notifications
4. Read emails
5. Change Firefox browser's visual and audio alert features for FriarFox extension
6. Label your email
7. Mark email as spam
8. Delete message
9. Refresh inbox
10. Email forwarding
11. Delete messages from Gmail trash
12. Send email from compromised account

For Firefox (based on browser permissions):

1. Access user data for all sites.
2. show notification
3. Read and modify privacy settings
4. Access browser tabs.

'The use of browser extensions to target users' private Gmail accounts combined with Scanbox malware distribution demonstrates TA413's experience and skill,' Proofpoint concluded. essay.

Samuel Daniel

Update 09 August 2022