A cyberespionage group from china dubbed TA423 (aka Red Landon or APT 40) has been seen targetting Australian officials with reconnaissance malware called Scanbox to steal details about the victims hackers could use to execute more targeted strikes.
The cyberespionage campaign that focused on government, energy and manufacturing personnel in the Asia-Pacific region deployed phishing emails directing targets to a fake news outlet.
Active since 2013, with a primary focus on the South China Sea, but known to have victims across the globe. In 2021, the Department of Justice tied APT40 to China’s Ministry of State Security.
The hacking group in recent campaign appeared to focus on global heavy industry manufacturers that conduct maintenance of fleets of wind turbines in the South China Sea. In the previous campaign back in 2018 it targetted Cambodia.
The phony “Australian Morning News” news site contained images and stories lifted from legitimate news organizations, With subject lines such as “Sick Leave,” “User Research” and “Request Cooperation,” the phishing emails initiated with the sender was starting a “humble news website” and wanted feedback.
The ScanBox allows attackers to log keystrokes and to collect a range of information about victims to better calibrate future exploitation, such as software versions and configurations, operating system details, browser versions.
Back in February 2021, researchers observed another Chinese-aligned group, TA413, using Scanbox to target Tibetan organizations globally.
The researchers linked that the phishing emails sent between March 2021 and September 2021 used malicious RTF files to deliver Meterpreter, malware within the Metasploit framework that allows an attacker to run commands on a victim computer.
In March 2022, the operation picked up again using a malicious Microsoft Word document, and then the current wave began in April using domains leading victims to the phony news website.
Researchers from Proofpoint and the PwC Threat Intelligence team jointly researched and published the report.