A months-long cyber espionage campaign undertaken by a Chinese nation-state group targeted several entities with reconnaissance malware so as to glean information about its victims and meet its strategic goals.
“The targets of this recent campaign spanned Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea,” enterprise security firm Proofpoint said in a published in partnership with PwC.
Targets encompass local and federal Australian Governmental agencies, Australian news media companies, and global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea.
Proofpoint and PwC attributed the intrusions with moderate confidence to a threat actor tracked by the two companies under the names TA423 and Red Ladon respectively, which is also known as APT40 and Leviathan.
APT40 is the name designated to a China-based, espionage-motivated threat actor that’s known to be active since 2013 and has a pattern of striking entities in the Asia-Pacific region, with a primary focus on the South China Sea. In July 2021, the U.S. government and its allies tied the adversarial collective to China’s Ministry of State Security (MSS).
Attacks took the form of several phishing campaign waves between April 12 and June 15 that employed URLs masquerading as Australian media firms to deliver the ScanBox reconnaissance framework. The phishing emails came with subject lines such as “Sick Leave,” “User Research,” and “Request Cooperation.”
“The threat actor would frequently pose as an employee of the fictional media publication ‘Australian Morning News,’ providing a URL to the malicious domain and soliciting targets to view its website or share research content that the website would publish,” the researchers said.
Some of the notable threat actors that have been previously observed using ScanBox include APT10 (aka Red Apollo or Stone Panda), APT27 (aka Emissary Panda, Lucky Mouse, or Red Phoenix), and TA413 (aka Lucky Cat).
Also retrieved and executed by the malware in the victim’s web browser are a number of plugins that allow it to log keystrokes, fingerprint the browser, gather a list of browser add-ons installed, communicate with the infected machines, and check for the presence of Kaspersky Internet Security (KIS) software.
This is not the first time APT40 has adopted the modus operandi of utilizing fake news websites to deploy ScanBox. A 2018 phishing campaign uncovered by Mandiant used news article URLs hosted on a rogue domain as lures to trick recipients into downloading the malware.
Interestingly, the April-June attacks are part of a sustained phishing activity linked to the same threat actor targeting organizations based in Malaysia and Australia as well as global companies potentially related to offshore energy projects in the South China Sea from March 2021 to March 2022.
These attacks made use of malicious RTF documents to deliver a first-stage downloader that then acted as a conduit to retrieve encoded versions of the Meterpreter shellcode. One of the victims of this campaign in March 2022 was a European manufacturer of heavy equipment that’s utilized in offshore wind farms in the Strait of Taiwan.
That’s not all. APT40 has also been attributed as behind the Copy-Paste Compromises the Australian Cyber Security Centre (ACSC) disclosed in June 2020 that were directed against government agencies.
“This threat actor has demonstrated a consistent focus on entities involved with energy exploration in the South China Sea, in tandem with domestic Australian targets including defense and healthcare,” the researchers said.