Cybersecurity experts have uncovered a sophisticated campaign targeting vulnerable Tibetan communities around the world, involving the deployment of a malicious Firefox browser extension to gain unauthorized access to Gmail accounts. This operation is attributed to threat actors aligned with Chinese governmental interests, specifically a group identified as TA413.
In a detailed analysis by Proofpoint, it was revealed that the customized malicious browser extension was designed to facilitate access and control over users’ Gmail accounts. This campaign aligns with previous operations targeting the Tibetan diaspora, which included the use of COVID-themed tactics to deploy espionage tools, notably the Sepulcher malware.
The phishing scheme was initially detected in January and February 2021, continuing a pattern established as early as March 2020. The infection chain begins with phishing emails masquerading as communications from the “Tibetan Women’s Association,” using Google accounts linked to TA413 that are known to impersonate the Bureau of His Holiness the Dalai Lama.
The malicious emails typically contain a deceptive link purporting to be a YouTube page, redirecting unsuspecting users to a spoofed “Adobe Flash Player Update” landing page that prompts them to install the malicious Firefox extension named “FriarFox.” This rogue extension, disguising itself as a legitimate update component, is based on an open-source tool called “Gmail Notifier,” modified to include malicious capabilities.
This tactic coincides with Adobe’s discontinuation of Flash, which officially started blocking Flash content in browsers on January 12, 2021, following the end-of-life announcement for the format. The targeted operation of the malware appears primarily focused on users of the Firefox browser who are logged into their Gmail accounts, as the extension is not delivered to users on other browsers, such as Google Chrome, when they access the malicious URL.
Now fully operational, the FriarFox extension can access browser tabs and user data across websites while granting adversaries the ability to read, delete, send, and forward emails from compromised accounts. Furthermore, it communicates with an attacker-controlled server to retrieve additional payloads, such as the Scanbox framework, which allows for ongoing reconnaissance, keystroke logging, and further data harvesting activity.
The integration of the FriarFox extension into TA413’s toolkit illustrates a growing trend among APT actors who are increasingly focused on compromising cloud-based email accounts, as noted by Proofpoint’s Senior Director of Threat Research and Detection, Sherrod DeGrippo. Email accounts are highly valuable targets since gaining access facilitates resets of nearly any other account password, allowing attackers to launch more extensive attacks.
This incident underscores the severe implications of such an operation. As email accounts often serve as gateways to sensitive information, the potential for misuse when compromised is vast. The mention of MITRE ATT&CK tactics relevant to this case would include initial access through spear phishing, persistence via installation of the malicious extension, and credential access for exfiltration of information, highlighting the comprehensive methodology employed by the attackers in this cybersecurity breach.
