Chinese hackers use Firefox’s malicious extension to hijack Gmail accounts

A malicious extension for multiple versions of the Firefox web browser would have been used in an ambitious cyber spying campaign targeting multiple organizations in Tibet. The attack, allegedly linked to the Chinese hacking group identified as APT TA413, consisted of the hijacking of vulnerable Gmail accounts and a possible malware infection, as mentioned by experts from security firm Proofpoint.

Experts mention that these hackers would have used Scanbox recognition malware, allowing them to collect a lot of data and even keep track of victims’ keystrokes: “This malware has been used for at least 6 years; in this context, minority ethnic groups in Tibet are harassed by Chinese authorities using these hacking techniques.”

SOURCE: Proofpoint

It all starts with a phishing email sent to victims and containing a link to the you-tube(.)tv domain that included a fake login for Adobe Flash Player Update. If victims enter this platform, a malicious plugin known as FriarFox will be installed, thus opening the FireFox browser and log in to the target Gmail account.

Experts mention that the attack necessarily requires the use of Firefox, since if using any other web browser the target user would be redirected to the official YouTube site. FriarFox is based on the open source Gmail Notifier plugin, changing its icon and description into metadata in order to mimic a Flash Player update process.

Threat actors also added malicious JavaScript samples to take control of affected Gmail accounts and extract as much information as possible using Scanbox. After tricking victims into installing FriarFox, malicious hackers kidnap Gmail accounts to deploy some of the following attacks:

  • Search emails
  • Archive emails
  • Receive Gmail notifications
  • Read emails
  • Modify Firefox’s visual and audio alert features
  • Tag emails
  • Mark emails as spam
  • Delete messages
  • Update target inbox
  • Forward emails
  • Perform feature searches
  • Delete messages from Gmail trash

Experts mention that the use of browser extensions to hijack Gmail accounts demonstrates the sophistication of methods employed by this hacking group, something especially damaging considering that the attack targets members of a minority in an authoritarian country: “APT TA413 appears to be modulating its hacking and social engineering tools and techniques for systematic harassment of vulnerable communities”, the experts conclude.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.