The malicious Firefox extension is called FriarFox which is also being used by Chinese hackers to spy on Tibetan activists.
For years, China has been accused of spying on minorities, activities, and journalists but according to researchers, the country’s spying tactics are only getting persistent and sophisticated. In the latest research, researchers have linked a Chinese government-backed hacking group with spying and phishing attacks against Minorities and Tibetan activists.
Chinese State-Sponsored Hackers Spying on Tibetan Activists
Proofpoint researchers have discovered a new campaign in which Chinese Communist party-backed advanced persistent threat (APT) targets Tibetan organizations and activists through a malicious Firefox extension.
The group is tracked as TA413 and has been previously involved in attacks against the Tibetan community. Back then, the group leveraged COVID-themed campaigns to distribute Sepulcher malware. However, even at that time, the primary goal was to conduct civil dissident surveillance and espionage.
Phishing Campaign Continuing since March 2020
According to the Sunnyvale-based enterprise security firm, low-level phishing campaigns against Tibetans were discovered first in March 2020 and have continued ever since. The threat actors are delivering a customized Firefox browser extension to hijack users’ Gmail accounts.
“Threat actors aligned with the Chinese Communist Party’s state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users’ Gmail accounts,” Proofpoint researchers noted in their report.
The most recent attacks were discovered in Jan and Feb 2021. The malicious extension is dubbed FriarFox.
“We attribute this activity to TA413, who in addition to the FriarFox browser extension, was also observed delivering both Scanbox and Sepulcher malware to Tibetan organizations in early 2021,” the report explained.
Sepulcher malware links were traced to the Lucky Cat and Exile Rat malware campaigns, which targeted Tibetan organizations.
Malware Delivered via Spear-phishing Emails
The phishing emails appear to be sent by the Bureau of His Holiness the Dalai Lama in India and the TibetanWomen’s Association. The emails feature a malicious link that redirects the recipient to a fake Adobe Flash Player Update that executes JavaScript for scanning the infected device and decide whether to deliver the FriarFox payload.
Once executed, the malware allows access to the victim’s Gmail account. Once inside the Gmail account, the malware can locate, archive, read, delete, mark as spam, and forward emails.
Furthermore, it can modify privacy settings and access user data on other websites. Attackers may also download ScanBox malware, an old JavaScript-based reconnaissance framework that can perform keylogging and steal data to use in future invasion attempts.
“Unlike many APT groups, the public disclosure of campaigns, tools, and infrastructure has not led to significant TA413 operational changes. Accordingly, we anticipate continued use of a similar modus operandi targeting members of the Tibetan diaspora in the future,” Proofpoint researchers concluded.
Not for the first time
It is a fact that China has been accused of spying on activists, minorities, and neighboring countries. In 2013, Uyghur and Tibetan activists were targeting using Android malware. Years later in 2018, researchers identified HenBox Android malware that was spying on Xiaomi devices and minority groups in China.
In 2019, a Dutch security researcher revealed that the Chinese government is utilizing facial recognition databases to remotely monitor the Uyghur populace in the Xinjiang region.
Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter!