Gmail

TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations

Since March 2020, Proofpoint Threat Research has tracked low volume phishing campaigns targeting Tibetan organizations globally. In January and February 2021, we observed a continuation of these campaigns where threat actors aligned with the Chinese Communist Party’s state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users’ Gmail accounts. Proofpoint has named this malicious browser extension “FriarFox”. We attribute this activity to TA413, who in addition to the FriarFox browser extension, was also observed delivering both Scanbox and Sepulcher malware to Tibetan organizations in early 2021. Proofpoint has previously reported on Sepulcher malware and its links to the Lucky Cat and Exile Rat malware campaigns that targeted Tibetan organizations. This actor is believed to be an APT group aligned with the Chinese state with strategic objectives associated with espionage and civil dissident surveillance that includes the Tibetan Diaspora. This blog provides a detailed analysis of the JavaScript-based FriarFox browser extension, identifies TA413’s use of the Scanbox framework dating back to June 2020, and establishes links to watering hole attacks that targeted Tibetan organizations in 2019. 

TA413 FriarFox Browser Extension January 2021

Delivery and Exploitation  

In late January 2021 a phishing email was detected which targeted several Tibetan organizations. The email impersonated the “Tibetan Women's Association” in the From field and utilized the email subject “Inside Tibet and from the Tibetan exile community”. Further the email was delivered from a known TA413 Gmail account that has been in use for several years, which impersonates the Bureau of His Holiness the Dalai Lama in India. The email contained the following malicious URL that impersonated YouTube:  

  • hxxps://you-tube[.]tv/  

This URL once clicked led to a fake “Adobe Flash Player Update” themed landing page which executes several JavaScript (“JS”) files which profile the user’s system. These scripts determine whether to deliver the malicious FireFox Browser extension (“.XPI” file) that Proofpoint has named “FriarFox”. XPI files are compressed installation archives used by various Mozilla applications and contain the contents of a FireFox browser extension. The use of landing pages for JS redirection is a technique commonly used in watering hole attacks. In this case, the domain is controlled by the threat actors, and the redirection is obtained via a malicious URL contained within a phishing email.  

 The installation and delivery of the FriarFox browser extension depends on several conditions of the user’s browsing state. Threat actors appear to be targeting users that are utilizing a Firefox Browser and are utilizing Gmail in that browser. The user must access the URL from a FireFox browser to receive the browser extension. Additionally, it appeared that the user must be actively logged in to a Gmail account with that browser to successfully install the malicious XPI file. Not all detected FriarFox campaigns required an active Gmail session for the successful installation of the browser extension. Additionally, Proofpoint analysts could not isolate the functionality that requires an active Gmail login session. Therefore, analysts could not definitively determine if a Gmail login was an intended pre-condition of TA413 browser extension installation or if the resulting corrupt file installation error was attributable to another cause. The following three user states were tested during Proofpoint’s research of the FriarFox extension. They account for use of varying browsers and Gmail login states tested when accessing the domain, you-tube[.]tv.  

  • User accesses the you-tube[.]tv URL with a non-FireFox browser and no Gmail Session  

The user is temporarily displayed the Adobe Flash Player landing page at you-tube[.]tv before being redirected to a legitimate youtube[.]com login page that attempts to access an active domain cookie in use on the site. Actors may be attempting to leverage this domain cookie to access the user’s Gmail account in the instance that a GSuite federated login session is used to log in to the user’s YouTube account. This user is not served the FriarFox browser extension.   

Graphical user interface, text, application, website

Description automatically generated Figure 01: YouTube redirect attempting to access domain cookie 

  • User Accesses the you-tube[.]tv URL with a FireFox browser, but is not logged in to Gmail  

The user is displayed the Adobe Flash Player landing page and prompted to allow the installation of software from the site. If the user clicks “Allow”, the browser indicates that the “add-on downloaded from you-tube[.]tv could not be installed because it appears to be corrupt.” The browser extension is served to the user but is not successfully installed. No redirect occurs. 

  • URL Request for FriarFox Browser Extension  

hxxps://you-tube[.]tv/download.php  

Graphical user interface, application

Description automatically generated Figure 02: You-tube[.]tv landing page unsuccessful installation of FriarFox browser extension.  

  • User Accesses the you-tube[.]tv URL with a FireFox browser and is logged in to Gmail  

The user is served the FriarFox extension from hxxps://you-tube[.]tv/download.php. They are then prompted to allow the download of software from the site, and they are prompted to “Add” the browser extension named “Flash update components” by approving the extension’s permissions. If the user clicks “Add” the browser redirects to the benign webpage hxxps://Tibet[.]net and the message “Flash update components has been added to Firefox.” Will appear in the upper right corner of the browser.   

Graphical user interface, application, Teams

Description automatically generated Figure 03: Mozilla Firefox prompt to add malicious FriarFox browser extension. 

Graphical user interface

Description automatically generated Figure 04: Browser redirect to Tibet[.]net and installation confirmation for FriarFox browser extension.  

After the installation of the FriarFox browser extension, threat actors gain the following access to the user’s Gmail account and FireFox browser data included below. Additionally, FriarFox contacts a threat actor command and control server to retrieve the PHP and JS-based payload Scanbox. Here are the Gmail account functionality and FireFox browser attributes FriarFox attempts to collect:  

Gmail Access  

  • Search emails  
  • Archive emails  
  • Receive Gmail notifications  
  • Read emails  
  • Alter FireFox browser audio and visual alert features for the FriarFox extension  
  • Label emails  
  • Marks emails as spam  
  • Delete messages  
  • Refresh inbox  
  • Forward emails  
  • Perform function searches  
  • Delete messages from Gmail trash  
  • Send mail from compromised account  

FireFox Browser Access – (Based on Granted browser permissions)  

  • Access user data for all websites.  
  • Display notifications  
  • Read and modify privacy settings  
  • Access browser tabs.

  Graphical user interface, text, application, email

Description automatically generated 

Figure 05: FriarFox browser extension required permissions. 

Analysis of the FriarFox Browser Extension 

The FriarFox browser extension appears to be largely based on an open source tool named “Gmail Notifier (restartless)”. This is a free tool available on Github, the Mozilla Firefox Browser ADD-ONS store, and the QQ App store among other locations. It allows users to receive notifications and perform certain Gmail actions on up to five Gmail accounts that are actively logged in simultaneously. There are also versions of this tool that exist for Google Chrome and Opera, but currently FriarFox has been the only browser instance identified targeting FireFox browsers as an XPI file. In recent campaigns identified in February 2021, browser extension delivery domains have prompted users to “Switch to the Firefox Browser” when accessing malicious domains using the Google Chrome Browser. Further details on the tool’s capabilities can be found below: 

Graphical user interface, application

Description automatically generated 

Figure 06: Open Source Gmail Notifier (restartless) tool in Firefox Browser ADD-ONS 

  • https://addons.mozilla.org/en-US/firefox/addon/gmail-notifier-restartless/ 
  • (Gmail Notifier Demo Video) https://www.youtube.com/watch?v=5Z2huN_GNkA 

TA413 threat actors altered several sections of the open source browser extension Gmail Notifier to enhance its malicious functionality, conceal browser alerts to victims, and disguise the extension as an Adobe Flash related tool. The threat actors conceal FriarFox’s existence and their usage of the tool by altering the following:  

  • The PNG file icon appears as an Adobe Flash icon in the browser extension menu, replacing the Gmail icon from the standard Gmail Notifier tool.    
  • The extension metadata description supports its appearance as a Flash update providing the description displayed in the browser extension menu.    
  • All audio and visual browser alerts are set not to alert active users after the time of installation. This conceals FriarFox’s existence and threat actors’ usage from the affected victims.   

The legitimate Gmail Notifier browser extension consists of approximately 17 independent JS files and additional configuration files that enable functionality for viewing emails, archiving, marking emails as spam, labelling, deleting, and visiting a user’s inbox for up to five accounts at a time. The FriarFox Browser Extension keeps the core functionality of this tool continuing to leverage many of these scripts in their original form, but also expands the functionality by adding three malicious JavaScripts and expanding the maximum number of accounts that can be monitored.  

Graphical user interface, application

Description automatically generated 

Figure 07: FriarFox (modified Gmail Notifier) browser extension XPI directory with actor modifications 

TA413 actors added the malicious JS file “tabletView.js” to the existing Gmail Notifier tool. The goal of TA413 in adding this file is likely to leverage an active domain cookie value to gain access to an affiliated Gmail account while also causing infected users to contact an active Scanbox command-and-control server. This malicious file is responsible for redirecting users to the YouTube account login page. This redirect may be an attempt by the threat actors to retrieve the domain cookie from an active YouTube login session that was achieved via a federated G-Suite login. The following URLs were generated by the script in tabletView.js:   

  • hxxp://accounts.youtube[.]comhttps://accounts.youtube[.]com/_/AccountsDomainCookiesCheckConnectionHttp/jserror?script=hxxps%3A%2F%2Findiatrustdalailama[.]com%2Ffile%2Fi%2F%3F5&error=Permission%20denied%20to%20get%20property%20%22href%22%20on%20cross-origin%20object&line=61  

As part of this redirect script, an additional URL is visible. It contains the command-and-control domain information for the actor-controlled server indiatrustdalailama[.]com which delivers an encoded JavaScript payload Scanbox. Further analysis of the tabletView.js script indicates that this file is an altered version of a browser extension file created with the copyright belonging to “Jason Savard”. Open source research indicates that this individual has created several browser extensions and plug-ins including a tool called Checker Plus for Gmail. This tool contains similar functionality to the Gmail Notifier tool discussed above. The presence of this unrelated copyright in the FriarFox browser extension files may indicate that actors have historically experimented with similar tools before modifying the Gmail Notifier tool set.  

In addition to the redirection JavaScript that attempts to access cookies and communicate with Scanbox servers, threat actors altered an existing Gmail Notifier browser extension script to display the decoy domain hxxps://tibet[.]net in the browser upon initial FriarFox installation. This redirection was described earlier in the delivery section of this blog. The use of the legitimate Tibet[.]net as a decoy domain further reinforces that the targets of this campaign were narrow and likely selected based on their involvement with Tibetan organizations and the Tibetan exile community.   

 Lastly, actors also included an additional script entitled default.js that appears to add supplemental malicious capabilities to the FriarFox extension that were not included in the initial open source Gmail Notifier tool. While the initial tool includes the ability to check settings, access inbox, archive, mark as spam, delete messages, refresh inbox and mark as read, it does not include features related to sending or responding to mail. The default.js script adds features like forwarding mail, performing function searches, deleting mail, deleting Gmail trash, and sending mail from the compromised account.