A few days ago, a hacker group used malicious Firefox extensions and Scanbox malware to infect victims. The purpose of this move is to hijack the victim’s Gmail account and Firefox browser, enabling them to collect the target’s data and record their keyboard keystrokes.
According to the Proofpoint report , the attack started in January and continued throughout February.
Malicious FriarFox browser extension
The phishing email delivered by the attacker to the target mailbox will redirect it to the you-tube[.]tv domain controlled by the attacker , which will display a fake Adobe Flash Player Update page.
If the target uses the Firefox browser and logs in to their Gmail account, the JavaScript analysis script executed from the domain name will automatically prompt the target to install a malicious extension called FriarFox. If they are using Firefox but are not logged into their Gmail account, they will be asked to add the corrupted FriarFox extension to the browser, which will cause the extension to fail to install.
If the potential victim is using a web browser other than Firefox, then they will be redirected to a legitimate YouTube login page.
The FriarFox malicious extension is based on the open source Gmail Notifier Firefox plug-in, which mimics the Flash update process by changing its icon and metadata description. They also added malicious JavaScript to hijack the victim's Gmail account and infect their system with Scanbox malware.
Once the victim is tricked into installing the FriarFox extension, the hacker will be able to take over the user's Gmail account and Firefox browser to perform the following malicious actions:
Hijack Gmail account:
- Search mail
- Archive mail
- Receive Gmail notifications
- Read mail
- Change the audio and visual alert function of the Firefox browser for the FriarFox extension
- Flag mail
- Mark the message as spam
- delete message
- Refresh inbox
- forward mail
- Perform function search
- Delete messages from Gmail trash
- Send mail from stolen account
Firefox browser (based on browser permissions).
- Access user data for all websites
- Show notification
- Read and modify privacy settings
- Visit the browser tab
Further technical details and infection indicators (IOCs), including the infrastructure and malware sample hashes used in this campaign, are available in the Proofpoint report.