Specialists of the information security company Proofpoint spoke about a Chinese cybercriminal group that hacks into Gmail accounts using a browser extension.
Cyber criminal group TA413 has been active for almost a decade and is usually associated by experts with the LuckyCat and ExileRAT malware, and its victims are mostly Tibetans. In early 2021, TA413 attempted to attack the Gmail accounts of organizations in Tibet using a malicious browser extension.
According to experts, in January-February of this year, the group delivered the FriarFox extension for the Firefox browser to attacked computers, giving it control over the victims' Gmail. The attacks also used Scanbox and Sepulcher malware, previously linked by information security experts to TA413.
The attackers sent phishing emails to victims with a link to a fake Adobe Flash Player update page that launches JavaScript code on the attacked systems. This code delivered the malicious FriarFox extension, but only if the link was opened through Firefox.
Once installed, the extension gave attackers full control over the victim's Gmail. Attackers could search emails, archive messages, read correspondence, receive notifications, mark emails as spam, delete emails, update inboxes, forward emails, modify browser notifications, permanently delete emails from the trash, and send messages.
FriarFox is a heavily modified version of the open source Gmail Notifier extension that gives attackers access to user data for all sites and allows them to view and change privacy settings, display notifications, and access browser tabs that are open in the browser.