‘Watering Hole’ Attacks Use ScanBox Keylogger!

‘Watering Hole’ Attacks Use ScanBox Keylogger!

Researchers have just uncovered a ‘Watering Hole’ attack likely conducted by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool.

A China-based threat player has increased efforts to distribute the ScanBox reconnaissance framework to victims that include Australian organisations & offshore energy firms in the S. China Sea. The bait used by the advanced threat group (APT) is targeted messages that seemingly link to Australian news websites.

Launched April

The cyber-espionage campaigns are believed to have launched April 2022 until mid-June 2022, according to a Tues. report by Proofpoint’s Threat Research Team & PwC’s Threat Intelligence team.

The threat player, says researchers, is believed to be the China-based APT TA423, also known as Red Ladon. “Proofpoint assesses with moderate confidence that this activity may be attributable to the threat actor TA423 / Red Ladon, which multiple reports assess to operate out of Hainan Island, China,” states the report.

US Department of Justice

The APT is most recently known for a recent indictment. “A 2021 indictment by the US Department of Justice assessed that TA423 / Red Ladon provides long-running support to the Hainan Province Ministry of State Security (MSS),” researchers commented.

MSS is the civilian intelligence, security & cyber police agency for the People’s Republic of China. It is believed responsible for counterintelligence, foreign intelligence, political security & tied to industrial & cyber espionage attempts by China.

ScanBox 

This campaign uses the ScanBox framework. ScanBox is a customisable & multifunctional JavaScript-based framework used by adversaries to conduct covert reconnaissance.

ScanBox has been used for nearly a decade & is dangerous because criminals can use the tool to conduct counterintelligence without having to plant malware on a targets system.

“ScanBox is particularly dangerous as it doesn’t require malware to be successfully deployed to disk in order to steal information – the keylogging functionality simply requires the JavaScript code to be executed by a web browser,” according to PwC researchers referring to a previous campaign.

JavaScript

Instead of malware, attackers can use ScanBox in tandem with watering hole attacks. Adversaries load the malicious JavaScript onto a compromised website where the ScanBox acts as a keylogger, stealing all of a user’s typed activity on the infected watering hole website.

TA423’s attacks began with phishing emails, with such titles as “Sick Leave,” “User Research” & “Request Co-operation.” Often, the emails seem to come from an employee of the “Australian Morning News,” a ‘fictional’ organisation. The employee implored targets to visit their “humble news website,” australianmorningnews[.]com.

“Upon clicking the link & redirecting to the site, visitors were served the ScanBox framework,” researchers wrote.

BBC & Sky News

The link directed victims to a web page with content copied from actual news sites, e.g. the BBC & Sky News. Simultaneously, it also delivered the ScanBox malware framework.

ScanBox keylogger data taken from ‘waterholes’ is part of a multi-stage attack, giving attackers knowledge of the potential targets that will help them launch future attacks against them. This technique is often called’ browser fingerprinting.’

List of Information

The primary, initial script sources a list of information about the target computer, including the operating system, language & version of Adobe Flash installed. ScanBox additionally runs a check for browser extensions, plugins & components such WebRTC.

“The module implements WebRTC, a free & open-source technology supported on all major browsers, which allows web browsers & mobile applications to perform real-time communication (RTC) over application programming interfaces (APIs). This allows ScanBox to connect to a set of pre-configured targets,” researchers explained.

Session Traversal Utilities for NAT

Adversaries can then use a technology called STUN (Session Traversal Utilities for NAT). This is a ‘standardised’ set of methods, including a network protocol, which allows interactive communications (including real-time voice, video, & messaging applications) to move across network address translator (NAT) gateways, researchers explain.

“STUN is supported by the WebRTC protocol. Through a 3rd-party STUN server located on the Internet, it lets hosts discover the presence of a NAT, & to discover the mapped IP address & port number that the NAT has allocated for the application’s User Datagram Protocol (UDP) flows to remote hosts.

Peer-to-Peer

ScanBox implements NAT traversal using STUN servers as part of Interactive Connectivity Establishment (ICE), a peer-to-peer communication method used for clients to communicate as directly as possible, avoiding having to communicate through NATs, firewalls, or other solutions,” according to researchers.

“This means that the ScanBox module can set up ICE communications to STUN servers & communicate with victim machines even if they are behind NAT,” they outlined.

Threat Players

The threat players “support the Chinese Govt. in matters related to the South China Sea, including during the recent tensions in Taiwan,” Sherrod DeGrippo, VP of Threat Research & Detection at Proofpoint, explained in a statement,

“This group specifically wants to know who is active in the region &, while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, & Australia.”

Stolen Trade Secrets

The group has, in the past, expanded well beyond Austral-Asia. According to a Department of Justice indictment from July, 2021, the group has “stolen trade secrets & confidential business information” from victims in “the US, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland & the UK.

Targeted industries included, inter alia, aviation, defence, education, govt., health care, bio-pharmaceutical & maritime.”

Despite the DoJ indictment, analysts “have not observed a distinct disruption of operational tempo” from TA423, & they “collectively expect TA423 / Red Ladon to continue pursuing its intelligence-gathering & espionage mission.”

 

SHARE ARTICLE