Novel Chinese cyberespionage efforts leverage ScanBox reconnaissance tool

Organizations in Australia and offshore energy companies operating in the South China Sea have been targeted by Chinese state-sponsored advanced persistent threat actor TA423, also known as Red Ladon, in cyberespionage campaigns leveraging the ScanBox reconnaissance framework, according to Threatpost. TA423 commences the attacks with phishing emails claiming to be from an employee of the fictional organization "Australian Morning News" that lures recipients into visiting the company's website, which then redirects to a web page with content from legitimate news sites while delivering the ScanBox malware framework, a report from Proofpoints Threat Research Team and PwCs Threat Intelligence team revealed. ScanBox then helps facilitate a multi-stage attack, with the primary initial script culling system details from the target computer while tracking browser extensions and plugins. Implementation of WebRTC enables ScanBox to link with pre-configured targets, as well as allows Session Traversal Utilities for NAT technology use for attackers. Such attacks were conducted to support the Chinese government amid tensions in Taiwan, noted Proofpoint Vice President of Threat Research and Detection Sherrod DeGrippo.