Recently, malicious campaigns have been using fake web-browsers extensions commonly disseminated via Google Ads and other channels.
This article will Proofpoint researchers found a new Firefox fake extension active since March 2020 that targets Tibetan organizations globally. The fake extension, named FriarFox, is related to the TA413 gangue also observed delivering both Scanbox and Sepulcher malware campaigns against Tibetan organizations in early 2021.
How FriarFox spreads
The malicious campaign associated with the FriarFox fake extension impersonates the Tibetan Women’s Association using an email with the following subject: “Inside Tibet and from the Tibetan exile community.”
In detail, the email is sent from a known account that impersonates the Bureau of His Holiness the Dalai Lama in India and used by TA413 for several years. As observed in Figure 1, after clicking on an URL in the email body, a fake Adobe Flash installation screen is presented to convince the end-user to install the FriarFox Firefox extension.
Figure 1: High-level diagram of FriarFox fake extension.
After accessing the fake Adobe Flash page, the user can add the extension as presented below. It’s also important to highlight that Adobe Flash is an EOF software, so internet end-users should be warned