Chinese Hackers Used ScanBox Framework in Recent Cyber Espionage Attacks

Posted on


chinese hackers

A months-long cyber espionage marketing campaign by a Chinese language nation-state group focused varied entities with reconnaissance malware to realize details about their victims and fulfill their strategic objectives.

“The targets of this latest marketing campaign encompassed Australia, Malaysia and Europe, in addition to entities working within the South China Sea,” enterprise safety agency Proofpoint stated in a put up in partnership with PwC.

The targets vary from Australian federal and native authorities businesses, Australian media firms and international heavy trade producers servicing wind turbine fleets within the South China Sea.

Proofpoint and PwC attributed the intrusions with reasonable confidence to a risk actor tracked by the 2 firms going by the names TA423 and Crimson Ladon respectively, which is often known as APT40 and Leviathan.

APT40 is the designated identify for a China-based espionage-motivated risk actor recognized to be lively since 2013 and have a sample of attacking entities within the Asia-Pacific area, with a major give attention to the China Sea. Southern. In July 2021, the US authorities and its allies linked the adversary collective to China’s Ministry of State Safety (MSS).

cyber security

The assaults took the type of a number of phishing campaigns between April 12 and June 15 that used URLs posing as Australian media firms to supply the ScanBox reconnaissance framework. The phishing emails got here with topic strains corresponding to “Sick Go away”, “Consumer Analysis”, and “Cooperation Request”.

Not like watering holes or strategic net compromises the place a professional web site recognized to be visited by targets is contaminated with malicious JavaScript code, APT40 exercise leverages an actor-controlled area that’s used to ship the malware.

“The risk actor steadily posed as an worker of the fictional media publication ‘Australian Morning Information’, offering a URL to the malicious area and requesting targets to view their web site or share investigative content material that the web site would publish.” the researchers stated.

cyber espionage attacks

ScanBox, utilized in assaults since 2014, is JavaScript-based malware that enables risk actors to profile their victims and ship next-stage payloads to targets of curiosity. It’s also recognized to be privately shared amongst varied hacking teams primarily based in China, corresponding to HUI Loader, PlugX, and ShadowPad.

Among the notable risk actors which were beforehand noticed utilizing ScanBox embrace APT10 (often known as Crimson Apollo or Stone Panda), APT27 (often known as Emissary Panda, Fortunate Mouse or Crimson Phoenix), and TA413 (often known as Fortunate Cat). .

The malware within the sufferer’s net browser additionally retrieves and executes numerous plugins that enable it to log keystrokes, take browser fingerprints, compile an inventory of put in browser plugins, talk with contaminated machines, and test for the presence of malware. Kaspersky Web Safety Software program (KIS).

cyber security

This isn’t the primary time that APT40 has adopted the modus operandi of utilizing faux information web sites to implement ScanBox. A 2018 phishing marketing campaign uncovered by Mandiant used URLs of stories articles hosted on a faux area as lures to trick recipients into downloading the malware.

Curiously, the April-June assaults are a part of a sustained phishing exercise linked to the identical risk actor concentrating on organizations primarily based in Malaysia and Australia, in addition to international firms doubtlessly linked to offshore vitality initiatives on the planet. South China Sea from March 2021 to March 2022.

These assaults made use of malicious RTF paperwork to ship a first-stage downloader that then acted as a conduit to retrieve encrypted variations of Meterpreter’s shellcode. One of many victims of this marketing campaign in March 2022 was a European producer of heavy tools utilized in offshore wind farms within the Taiwan Strait.

Thats not all. APT40 has additionally been attributed as being accountable for the copy-paste compromises that the Australian Cyber ​​Safety Middle (ACSC) revealed in June 2020 and that had been directed towards authorities businesses.

“This risk actor has demonstrated a constant give attention to entities concerned in vitality exploration within the South China Sea, together with Australian nationwide aims, together with protection and well being care,” the researchers stated.


Chinese Hackers Used ScanBox Framework in Recent Cyber Espionage Attacks