Cybersecurity experts from Proofpoint have unearthed a Chinese-sponsored phishing campaign and published a report on Thursday; as per the findings, Chinese state hackers targeted several Tibetan organizations in a low-volume phishing campaign using malicious malware on the systems of Tibetan organizations. The campaign was designed to hijack Gmail accounts via a malicious Firefox browser extension.
According to Proofpoint, Chinese sponsored phishing campaign started in January and continued throughout February and was managed by the TA413 APT group, a threat group that’s aligned with the Chinese Communist Party’s state interests.
Hackers Modus Operandi
TA413 attackers targeted the organizations by sending a fraudulent email, once the victim opened the email it redirected the victim to the attacker-controlled you-tube[.] domain that displays a fake Adobe Flash Player Update landing page.
Threat actors specifically targeted the Firefox users and users with an active Gmail session were prompted to download the malicious add-on. If the potential target used any other web browser, they would get redirected to the legitimate YouTube login page.
According to Proofpoint, threat actors could exploit the following functions on infected browsers:
• Search emails
• Archive emails
• Receive Gmail notifications
• Read emails
• Alter Firefox browser audio and visual alert features
• Label emails • Marks emails as spam
• Delete messages
• Refresh inbox
• Forward emails
• Perform function searches
• Delete messages from Gmail trash
• Send mail from the compromised account
Firefox (based on browser permissions):
• Access user data for all websites
• Display notifications
• Read and modify privacy settings
• Access browser tabs
Proofpoint stated that “the use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities. These communities have a traditionally low barrier for compromise by threat actor groups and TA413 appears to be modulating their tools and techniques while continuing to rely on proven social engineering techniques.”
The Chinese state hackers also infected the victims with the Scanbox malware. A PHP and Java-script-based reconnaissance framework; this malware is an old tool used by Chinese cyber-criminal groups.
“Scanbox has been used in numerous campaigns since 2014 to target the Tibetan Diaspora along with other ethnic minorities often targeted by groups aligned with the Chinese state interests,” Proofpoint further stated.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.