China-linked APT40 used ScanBox Framework in a long-running espionage campaign

Experts uncovered a cyber espionage campaign conducted by a China-linked APT group and aimed at several entities in the South China Sea.

Proofpoint’s Threat Research Team uncovered a cyber espionage campaign targeting entities across the world that was orchestrated by a China-linked threat actor. The campaign aimed at entities in Australia, Malaysia, and Europe, as well as organizations that operate in the South China Sea.

Proofpoint analyzed the campaign with the help of threat intelligence researchers from PwC.

The campaign has been active from April 2022 through June, the threat actor was observed delivering the ScanBox exploitation framework to target visitors of a rogue Australian news website.

The researchers attribute the campaign to the China-linked APT group tracked as TA423/Red Ladon.

TA423 is a China-linked cyber espionage group that has been active since 2013, it focuses on political events in the Asia-Pacific region, specifically on the South China Sea. Over the years, the group hit defence contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations.   

“The joint efforts of Proofpoint and PwC researchers provide a moderate confidence assessment that recent campaigns targeting the federal government, energy, and manufacturing sectors globally may represent recent efforts by TA423 / Red Ladon.” read the report published by the experts.

“Activity which overlaps with this threat actor has been publicly referred to in governmental indictments as “APT40” and “Leviathan.”

In June 2021, the U.S. Justice Department (DoJ) indicted four members of the China-linked cyber espionage group APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan) for hacking tens of government organizations, private businesses and universities around the world between 2011 and 2018.

The recent ScanBox-related phishing campaigns were conducted between April 2022 to June 2022 and primarily targeted local and federal Australian Governmental agencies, Australian news media companies, and global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea.

The phishing messages originated from Gmail and Outlook email addresses likely created by the threat actor, and utilized multiple subjects including “Sick Leave,” “User Research,” and “Request Cooperation.” The attacker poses as an employee of the fictional media publication “Australian Morning News”, the messages attempt to trick recipients into visiting a link to a rogue domain that served the ScanBox framework.

“The malicious URLs provided in the emails also appear to use values that are customized for each target, although they all redirect to the same page and serve the same malicious payload. In one instance the threat actor was observed appending the URI extension “?p=23-<##>”. It appears that p=23 specifies the page value for landing page the user is redirected to, while the number string that follows it, e.g. the “11” in “?p=23-11”, appears to be a unique identifier for each recipient.” continues the report. “Proofpoint had also observed customized URLs, and URL redirect destinations distinct for each target, in TA423’s earlier campaigns in March 2022.”

ScanBox allows to deliver JavaScript code in one single block or as a plugin-based, modular architecture.

ScanBox can be used to harvest information on the victims are to deliver next-stage payloads to targets, it was employed by multiple China-linked APT groups ([1], [2], [3], [4], [5]) in the past, including Stone Panda APT, TA413, and LuckyMouse.

ScanBox was able to deliver multiple plugins as part of the attack, the final plugin that it delivers to targets checks whether Kaspersky Internet Security (KIS) is installed on the victim machine.

The researchers also correlated this campaign with previous campaigns orchestrated by the TA423 APT group which leveraged RTF template injection.   

RTF documents were used to drop the first-stage downloader on the victim’s systems, experts observed that RTF template injection URL returned a weaponized Microsoft Word document.

“The RTF template injection URL returned a macro-laden Microsoft Word document. The macro contains a series of hardcoded hex bytes stored as strings. These strings are reassembled by the macro and converted into two files, a PE and a DLL, which are saved to the victim host and executed. The macro also makes a URL request seemingly to return an “UpdateConfig” value which may be used by the final installed payload.” continues the report.

Researchers from Proofpoint conclude that this latest ScanBox campaign is part of a large caber espionage operation conducted by APT40 since March 2021.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ScanBox)

[adrotate banner=”5″]

[adrotate banner=”13″]