Threat actors from China have been leading specific people to a fake website pretending to be an Australian news media organization to attack Australian government agencies and wind turbine fleets in the South China Sea. Victims were lured to the fake website by tempting phishing emails, and the ScanBox reconnaissance framework sent a malicious JavaScript payload to them.
The campaign ran from April to June of this year. It was directed at employees of regional and national Australian government departments, local and international news media outlets, and companies that maintain wind turbines in the South China Sea. Cyberespionage was the objective, said the security researchers at Proofpoint and PwC (PricewaterhouseCoopers) who observed the effort. They confidently connect the behavior to a China-based threat organization called APT40 (also known as TA423, Leviathan, Red Ladon).
At least six China-based threat actors have used ScanBox in several assaults in the past, and there is enough evidence to conclude that the toolkit has been in use since at least 2014. According to a report released by Proofpoint, Gmail and Outlook email accounts were used to send phishing emails in waves to the recipients. The sender included a URL to the malicious website while posing as an employee of the fictitious media company “Australian Morning News.” The website provided information that was plagiarized from other reliable news websites.
Despite always leading to the same website and malicious payload, the researchers claim that the URLs also contained specific values for each victim. The ScanBox framework was made available to visitors of the fraudulent website through JavaScript execution and staged module loading. “ScanBox can deliver JavaScript code in one single block, or, as is the case in the April 2022 campaign, as a plugin-based, modular architecture,” explains Proofpoint.
The report says that giving threat actors access to the complete code may be preferable. Selective plugin loading was chosen because it would reduce the likelihood of crashes and failures and attract researchers’ attention. The following modules are included in the ScanBox framework:
- Keylogger: Records key presses made inside a ScanBox iframe.
- Browser plugins: Identifies installed browser plugins.
- Browser fingerprinting: Identifies and evaluates the technical capabilities of the victim’s browser.
- Peer connection: Uses WebRTC to provide real-time communication over APIs.
- Security check: Determines whether Kaspersky security software is installed on the victim’s device.
The framework begins delivering victim profile information, technical specifications, and information helpful for reconnaissance and simple espionage after the victim’s computer has been constructed and the chosen plugins have been installed. This is known as command and control (C2) communications. In a few instances seen in June 2022, threat actors used COVID-19 passport services lures that downloaded a DLL stager for loading Meterpreter to attack the Australian Naval Defense, oil and petroleum, and deep-water drilling enterprises.
Proofpoint has concluded that the 2022 campaign is the third phase of the same intelligence-gathering effort APT40 has been conducting since March 2021, based on current evidence from the targeting techniques and tools. The threat actors then pretended to be journalists from publications like “The Australian” and “Herald Sun,” performing RTF Template injection and installing Meterpreter on the victims’ machines. 2018 saw the continued usage of ScanBox in APT40 activities. The U.S. Department of Justice decided to indict APT40 members in July 2021 due to the threat actor’s extensive history of attacks.
