Alleged reports have registered that a certain Chinese Communist Party-supported Chinese hacker group has been snooping on Tibetan activists by deploying a Firefox malware extension.

According to investigations conducted by cybersecurity vendors, a low-degree phishing campaign against the Tibetan dispersal has been observed from the month of March 2020. However, the phishing campaigns reached sophisticated levels of malware attacks with the mal-utilization of a dedicated malware extension called “FriarFox” in the current year.

This malware deployment of FriarFox is allegedly linked to the Chinese hacker group TA413. While this may not be TA413’s first time delivering malware, it certainly is a one being so largely dispensed. Other malware in their list of dispensaries allegedly includes the Scanbox as well as the Sepulcher malware in early 2021.

The Sepulcher malware had been formerly reported being linked to the Lucky Cat and Exile Rat malware campaigns as well, both the malware being two of the cyber-attacks targeting Tibetan organizations.

As is allegedly believed, the Chinese hacker group TA413 is itself an APT group that is backed by the Chinese government.

Mal-workings of the malware:

The malware is deployed through a spear-phishing email attack technique. The victims are sent spoof emails such as the Bureau of His Holiness the Dalai Lama in India or the Tibetan Women’s Association. These phishing emails generally contain malicious links redirecting to phony ‘Adobe Flash Player Update’ pages which implement JavaScript to scan the victim’s devices. 

The scanning scripts then determine whether to deploy the ‘FriarFox’ charge, which allegedly gives the bad actors unauthorized access to the victim’s Gmail accounts.

Seemingly, the malware is configured to read, erase, send, mark as spam, archive search for as well as access browser windows on Firefox extension, alter privacy settings, and access user data of all websites. 

Once the bad actors are successful in deploying the aforementioned malware procedures, they can also attempt to download the ScanBox Malware. The particular malware is a JavaScript-rooted probe and surveillance malware that was established back in 2014. It has tracking abilities of victims to specific websites, execute keylogging as well as hoard user data for future cyber attacks.