Chinese Hackers Breach Gmail Accounts with Malicious Browser Extension
Cybersecurity experts from Proofpoint have reported on a Chinese cybercriminal group that is hacking Gmail accounts using a malicious browser extension. The group, known as TA413, has been active for nearly a decade and is typically associated with the malware LuckyCat and ExileRAT. Their primary targets are Tibetans.
Details of the Attack
In early 2021, TA413 attempted to compromise Gmail accounts belonging to organizations in Tibet by deploying a malicious browser extension. According to experts, between January and February of this year, the group delivered the FriarFox extension for the Firefox browser to targeted computers. This extension gave the attackers control over the victimsโ Gmail accounts. The attacks also involved the use of the Scanbox and Sepulcher malware, both previously linked to TA413.
Attack Methodology
The attackers sent phishing emails to victims containing a link to a fake Adobe Flash Player update page. When opened in Firefox, this page executed JavaScript code that installed the malicious FriarFox extension. The extension was only delivered if the link was accessed through Firefox.
Capabilities of the FriarFox Extension
Once installed, the extension granted attackers full control over the victimโs Gmail account. The hackers could:
- Search through emails
- Archive messages
- Read correspondence
- Receive notifications
- Mark emails as spam
- Delete emails
- Refresh the inbox
- Forward emails
- Modify browser notifications
- Permanently delete emails from the trash
- Send messages
FriarFox is a heavily modified version of the open-source Gmail Notifier extension. It gives attackers access to user data across all websites, allows them to view and change privacy settings, display notifications, and access open browser tabs.