A sophisticated cyber-espionage campaign attributed to the China-based threat actor TA423 (also known as Red Ladon) is actively targeting Australian organizations and offshore energy firms operating in the South China Sea. According to a joint report by Proofpoint and PwC, the group is using watering hole attacks to deploy the ScanBox reconnaissance framework, a potent JavaScript-based tool.

The campaign, observed between April and June 2022, demonstrates the group’s continued focus on intelligence gathering related to maritime and strategic interests in the region, likely in support of the Chinese government.

Attack Methodology: Phishing to Watering Hole

The attack chain begins with carefully crafted phishing emails sent to specific targets. These emails often masquerade as communications from a fictional news organization called the “Australian Morning News,” encouraging recipients to visit their website. Upon clicking the link, the victim is directed to a malicious site that appears legitimate by copying content from real news sources. In the background, this site secretly executes the ScanBox framework in the user’s browser.

ScanBox: Malware-less Reconnaissance

ScanBox is particularly dangerous because it does not require installing any malware onto the victim’s computer. It operates entirely within the web browser to conduct covert reconnaissance. Its primary functions include keylogging, capturing everything the user types on the compromised page, and extensive browser fingerprinting. The tool gathers detailed system information, such as operating system, browser extensions, and installed software versions. By leveraging WebRTC and STUN protocols, ScanBox can even communicate with victim machines behind NAT firewalls, making it a highly effective espionage tool. Despite a 2021 U.S. Department of Justice indictment, TA423’s operations continue without disruption.

Source: https://threatpost.com/watering-hole-attacks-push-scanbox-keylogger/180490/