Home>Blog>The Hacker News Headlines>Chinese Hackers Used ScanBox Framework in Recent Cyber Espionage Attacks
The Hacker News Headlines

Chinese Hackers Used ScanBox Framework in Recent Cyber Espionage Attacks

Chinese Hackers

A months-long cyber espionage campaign undertaken by a Chinese
nation-state group targeted several entities with reconnaissance
malware so as to glean information about its victims and meet its
strategic goals.

“The targets of this recent campaign spanned Australia,
Malaysia, and Europe, as well as entities that operate in the South
China Sea,” enterprise security firm Proofpoint said[1]
in a published in partnership with PwC.

Targets encompass local and federal Australian Governmental
agencies, Australian news media companies, and global heavy
industry manufacturers which conduct maintenance of fleets of wind
turbines in the South China Sea.

Proofpoint and PwC attributed the intrusions with moderate
confidence to a threat actor tracked by the two companies under the
names TA423 and Red Ladon respectively, which is also known as
APT40 and Leviathan.

APT40 is the name designated to a China-based,
espionage-motivated threat actor that’s known to be active since
2013 and has a pattern of striking entities in the Asia-Pacific
region, with a primary focus on the South China Sea. In July 2021,
the U.S. government and its allies tied[2]
the adversarial collective to China’s Ministry of State Security
(MSS).

CyberSecurity

Attacks took the form of several phishing campaign waves between
April 12 and June 15 that employed URLs masquerading as Australian
media firms to deliver the ScanBox[3]
reconnaissance framework. The phishing emails came with subject
lines such as “Sick Leave,” “User Research,” and “Request
Cooperation.”

Unlike watering holes or strategic web compromises wherein a
legitimate website known to be visited by the targets are infected
with malicious JavaScript code, the APT40 activity leverages an
actor-controlled domain that’s used to deliver the malware.

“The threat actor would frequently pose as an employee of the
fictional media publication ‘Australian Morning News,’ providing a
URL to the malicious domain and soliciting targets to view its
website or share research content that the website would publish,”
the researchers said.

Cyber Espionage Attacks

ScanBox, used in attacks[4]
as early as 2014, is a JavaScript-based malware[5] that enables threat
actors to profile their victims as well as deliver next-stage
payloads to targets of interest. It’s also known to be privately
shared amongst several China-based hacking groups, just like
HUI Loader, PlugX[6], and ShadowPad[7].

Some of the notable threat actors that have been previously
observed using ScanBox include APT10[8]
(aka Red Apollo or Stone Panda), APT27[9]
(aka Emissary Panda, Lucky Mouse, or Red Phoenix) and TA413[10] (aka Lucky Cat).

Also retrieved and executed by the malware in the victim’s web
browser are a number of plugins that allow it to log keystrokes,
fingerprint the browser, gather a list of browser add-ons
installed, communicate with the infected machines, and check for
the presence of Kaspersky Internet Security (KIS) software.

CyberSecurity

This is not the first time APT40 has adopted the modus operandi
of utilizing fake news websites to deploy ScanBox. A 2018 phishing
campaign uncovered[11] by Mandiant used news
article URLs hosted on a rogue domain as lures to trick recipients
into downloading the malware.

Interestingly, the April-June attacks are part of a sustained
phishing activity linked to the same threat actor targeting
organizations based in Malaysia and Australia as well as global
companies potentially related to offshore energy projects in the
South China Sea from March 2021 to March 2022.

These attacks made use of malicious RTF documents to deliver a
first-stage downloader that then acted as a conduit to retrieve
encoded versions of the Meterpreter shellcode. One of the victims
of this campaign in March 2022 was a European manufacturer of heavy
equipment that’s utilized in offshore wind farms in the Strait of
Taiwan.

That’s not all. APT40 has also been attributed as behind the
Copy-Paste Compromises the Australian Cyber Security Centre (ACSC)
disclosed[12] in June 2020 that were
directed against government agencies.

“This threat actor has demonstrated a consistent focus on
entities involved with energy exploration in the South China Sea,
in tandem with domestic Australian targets including defense and
healthcare,” the researchers said.

References

  1. ^
    said
    (www.proofpoint.com)
  2. ^
    tied
    (www.proofpoint.com)
  3. ^
    ScanBox
    (www.virustotal.com)
  4. ^
    attacks
    (cybersecurity.att.com)
  5. ^
    JavaScript-based malware
    (malpedia.caad.fkie.fraunhofer.de)
  6. ^
    HUI
    Loader, PlugX     (thehackernews.com)
  7. ^
    ShadowPad
    (thehackernews.com)
  8. ^
    APT10
    (thehackernews.com)
  9. ^
    APT27
    (thehackernews.com)
  10. ^
    TA413
    (thehackernews.com)
  11. ^
    uncovered
    (www.mandiant.com)
  12. ^
    disclosed
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.