China-linked TA413 group target Tibetan organizations

Pierluigi Paganini February 26, 2021

The Chinese hacking group, tracked as TA413, used a malicious Firefox add-on in a cyberespionage campaign aimed at Tibetans.

China-linked cyberespionage group TA413 targeted Tibetan organizations across the world using a malicious Firefox add-on, dubbed FriarFox, that allowed them to steal Gmail and Firefox browser data and deliver malware on infected systems.

“We attribute this activity to TA413, who in addition to the FriarFox browser extension, was also observed delivering both Scanbox and Sepulcher malware to Tibetan organizations in early 2021.” reads the report published by Proofpoint. “Proofpoint has previously reported on Sepulcher malware and its links to the Lucky Cat and Exile Rat malware campaigns that targeted Tibetan organizations.”

The attack chain begins with spear-phishing email messages that attempt to trick victims into visiting websites that asked them to install a Flash update to view the site’s content.

Researchers from Proofpoint discovered that the websites were set up to serve the malicious add-on only to Firefox users with an active Gmail session.

The victims are served the FriarFox extension from hxxps://you-tube[.]tv/download.php, then they are prompted to allow the download of software from the site, and they are prompted to “Add” the browser extension named “Flash update components” by approving the extension’s permissions. The browser redirects to the benign webpage hxxps://Tibet[.]net and it is displayed the message “Flash update components has been added to Firefox.”


Once installed the FriarFox browser extension, attackers gained access to the user’s Gmail account and FireFox browser data. Below the the Gmail account functionality and FireFox browser attributes FriarFox attempts to collect:  

Gmail Access  

  • Search emails  
  • Archive emails  
  • Receive Gmail notifications  
  • Read emails  
  • Alter FireFox browser audio and visual alert features for the FriarFox extension  
  • Label emails  
  • Marks emails as spam  
  • Delete messages  
  • Refresh inbox  
  • Forward emails  
  • Perform function searches  
  • Delete messages from Gmail trash  
  • Send mail from compromised account  

FireFox Browser Access – (Based on Granted browser permissions)  

  • Access user data for all websites.  
  • Display notifications  
  • Read and modify privacy settings  
  • Access browser tabs.”

The FriarFox add on also contacts the C2 server to retrieve the PHP and JS-based payload Scanbox frameworks.

The Scanbox framework is used by multiple APT groups, including the Stone Panda APT group and LuckyMouse, to carry out watering hole attacks.

“The use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities. These communities have a traditionally low barrier for compromise by threat actor groups and TA413 appears to be modulating their tools and techniques while continuing to rely on proven social engineering techniques.” concludes the report. “Their degrees of success may vary among more sophisticated targets, however, the limited resources afforded to dissident organizations globally may allow for success with the patchwork of tooling and techniques TA413 displays.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TA413)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment