In early 2021, a Chinese threat actor tracked as TA413 attempted to hack into the Gmail accounts of Tibetan organizations using a malicious browser extension, researchers with cybersecurity firm Proofpoint have discovered.
Active for roughly a decade, the hacking group has been previously associated with malware such as LuckyCat and ExileRAT, and is believed to have orchestrated numerous cyber-assaults targeting the Tibetan community.
In January and February 2021, the group was observed delivering the FriarFox extension, customized to specifically target the Firefox browser and provide attackers with access to and control of victims’ Gmail accounts. The Scanbox and Sepulcher malware families, both already attributed to the adversary, were also used in these attacks.
Once the extension was installed, the attackers gained full access to the victim’s Gmail account, being able to search emails, archive messages, read emails, receive notifications, label emails, mark messages as spam, delete emails, refresh the inbox, forward emails, modify alerts in the browser, delete emails from the Trash folder, and send emails.
FriarFox, which appears to be a heavily altered version of the open source browser extension Gmail Notifier, also allows the adversary to access user data for all websites, read and change privacy settings, display notifications, and access the tabs opened in the browser.
As part of the attack, the Scanbox reconnaissance framework – which is known to have been used by other Chinese threat actors and even the Vietnam-linked OceanLotus – was also leveraged.
Analysis of FriarFox code has allowed Proofpoint to link the extension to known TA413 activity, while the employed infrastructure has revealed targeting of Tibetan organizations since early January 2021. Malicious files used in the attacks were created using the Royal Road tool, which is also known to be shared between Chinese APTs.
“The introduction of the FriarFox browser extension in TA413’s arsenal further diversifies a varied, albeit technically limited repertoire of tooling. The use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities,” Proofpoint concludes.