Skip to content
Latest News
  • Explore Cisco IOS XE Automation at Cisco Live US 2025
  • My top 5 picks for the best Memorial Day phone deals so far: Apple, Samsung, and more
  • This smart ring is half the price of Oura Ring 4 and has no subscriptions - here's how it competes
  • I highly recommend shopping these early health tracker Memorial Day deals
  • The most reliable smart lock I've tested just hit one of its lowest prices ever
Unified Networking
  • Home
  • My Blogs
    • CASE STUDIES
    • DE
    • CONF TEMPLATES
  • Friendly Blogs
    • Networking Updates
    • Virtulization Updates
    • Security Updates
  • VIDEOS
    • Cisco dcloud Labs
  • News
  • My Profile

Chinese Threat Actor Uses Browser Extension to Hack Gmail Accounts

Posted on February 26, 2021March 11, 2021 by Admin
Chinese Threat Actor Uses Browser Extension to Hack Gmail Accounts

Related Post

  • US and UAE collaborate on AI megaproject to boost regional innovation
  • US Officials Impersonated Via SMS and Voice Deepfakes
  • UK Cyber Vacancies Growing 12% Per Year
  • Russian Espionage Operation Targets Organizations Tied to Ukraine War
  • How to establish an effective AI GRC framework


In early 2021, a Chinese threat actor tracked as TA413 attempted to hack into the Gmail accounts of Tibetan organizations using a malicious browser extension, researchers with cybersecurity firm Proofpoint have discovered.

Active for roughly a decade, the hacking group has been previously associated with malware such as LuckyCat and ExileRAT, and is believed to have orchestrated numerous cyber-assaults targeting the Tibetan community.

In January and February 2021, the group was observed delivering the FriarFox extension, customized to specifically target the Firefox browser and provide attackers with access to and control of victims’ Gmail accounts. The Scanbox and Sepulcher malware families, both already attributed to the adversary, were also used in these attacks.

A phishing email used in a January attack, Proofpoint reveals, contained a link leading to a fake Adobe Flash Player update-themed page designed to run JavaScript code on the victim’s system. The code would deliver the FriarFox malicious extension, but only if Firefox was used to open the link.

Once the extension was installed, the attackers gained full access to the victim’s Gmail account, being able to search emails, archive messages, read emails, receive notifications, label emails, mark messages as spam, delete emails, refresh the inbox, forward emails, modify alerts in the browser, delete emails from the Trash folder, and send emails.

FriarFox, which appears to be a heavily altered version of the open source browser extension Gmail Notifier, also allows the adversary to access user data for all websites, read and change privacy settings, display notifications, and access the tabs opened in the browser.

As part of the attack, the Scanbox reconnaissance framework – which is known to have been used by other Chinese threat actors and even the Vietnam-linked OceanLotus – was also leveraged.

Analysis of FriarFox code has allowed Proofpoint to link the extension to known TA413 activity, while the employed infrastructure has revealed targeting of Tibetan organizations since early January 2021. Malicious files used in the attacks were created using the Royal Road tool, which is also known to be shared between Chinese APTs.

“The introduction of the FriarFox browser extension in TA413’s arsenal further diversifies a varied, albeit technically limited repertoire of tooling. The use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities,” Proofpoint concludes.

Related: Chinese Hackers Target Europe, Tibetans With ‘Sepulcher’ Malware

Related: POISON CARP Threat Actor Targets Tibetan Groups

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags:



Source link

Posted in RSS_Virtulization Tagged browser extension, China, FriarFox, Gmail account, Scanbox, Sepulcher, TA413, Tibet

Post navigation

Chinese Attack Tool Gains Gmail Access
Analysis | The Cybersecurity 202: DHS chief wants to fight another ‘epidemic’ – hackers holding data hostage

Subscribe For Updates

VMWARE

Helping Public Sector Organisations Define Cloud Strategy
October 29, 2020

Helping Public Sector Organisations Define Cloud Strategy

Introduction Cloud computing services have grown exponentially in

May 18, 2016

How to change the VLAN ID of the Service Console in ESX from the command line/console

June 09, 2015

Cisco UCS and Vmware Interfaces (Vnics) HA Design Considerations

June 07, 2015

Troubleshooting network and TCP/UDP port connectivity issues on ESX/ESXi(2020669)

May 12, 2015

vSphere Client Parameters

View All

Configuration Templates

February 16, 2015

CUE Licenses

Note: Useful LINK COPIED FROM OTHER SOURCE FOR REFERENCE INTRODUCTION

February 02, 2015

Trouble shooting Unity Express with Call Manager Integeration & Operational Issues

November 08, 2014

CME Configuration Example: SIP Trunks to Viatalk and VoIP.ms

November 08, 2014

SIP Phone registration – CME Configuration

November 08, 2014

CUE Voicemail + VPIM networking (CUE to unity)

View All

Copyright 2016. All rights reserved

Proudly powered by WordPress | Profitmag by Rigorous Themes
Love This Article? Spread It.
X
  • Tweet