Security News > 2022 > August > Chinese Hackers Used ScanBox Framework in Recent Cyber Espionage Attacks

A months-long cyber espionage campaign undertaken by a Chinese nation-state group targeted several entities with reconnaissance malware so as to glean information about its victims and meet its strategic goals.

"The targets of this recent campaign spanned Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea," enterprise security firm Proofpoint said in a published in partnership with PwC. Targets encompass local and federal Australian Governmental agencies, Australian news media companies, and global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea.

Attacks took the form of several phishing campaign waves between April 12 and June 15 that employed URLs masquerading as Australian media firms to deliver the ScanBox reconnaissance framework.

Unlike watering holes or strategic web compromises wherein a legitimate website known to be visited by the targets are infected with malicious JavaScript code, the APT40 activity leverages an actor-controlled domain that's used to deliver the malware.

ScanBox, used in attacks as early as 2014, is a JavaScript-based malware that enables threat actors to profile their victims as well as deliver next-stage payloads to targets of interest.

Interestingly, the April-June attacks are part of a sustained phishing activity linked to the same threat actor targeting organizations based in Malaysia and Australia as well as global companies potentially related to offshore energy projects in the South China Sea from March 2021 to March 2022.

News URL

https://thehackernews.com/2022/08/chinese-hackers-used-scanbox-framework.html