A Chinese cyber espionage gang have targeted Australian entities with reconnaissance malware to harvest details that they could use to execute more targeted attacks on different sectors.
The campaign targeted the Asia-Pacific region’s energy, manufacturing, and government personnel to deploy phishing emails directing its victims to a fake news outlet. According to researchers, the attackers are called Red Landon (AKA TA423). The attackers designed the phoney news outlet to distribute malware dubbed ScanBox.
This recent campaign between April and June this year appeared to be focused on global heavy industry manufacturers that execute maintenance of fleets of Wind turbines in the South China Sea.
The fake news outlet is called “Australian Morning News,” a news site containing images and stories from authentic news organisations. Some researchers also noticed that this recent campaign is similar to the cyberespionage attack used against Cambodia in 2018.
The subject lines for the phishing emails contain the terms “Sick Leave,” “User Research”, and “Request Cooperation” to introduce itself as a humble news website and wanted user feedback.
The Chinese cyber espionage gang still uses ScanBox to infect its victims.
Based on reports, the Chinese cyber espionage gang still deploys malware from 2014. ScanBox could enable attackers to log keystrokes and gather troves of data from its victims to orchestrate future exploitation better.
These exploits are then used against software versions and configurations, operating system details, and browser versions. A researcher from 2015 concluded that several China-based cybercriminal operations had used ScanBox for years. February last year, another researcher noticed a Chinese-backed threat group using the tool to target Tibetan organisations.
However, Red Landon’s latest operation showed links to recent activity that dates to March last year. Phishing emails were disseminated between March and September 2021 using malicious RTF files to distribute Meterpreter.
Meterpreter is malware inside the Metasploit framework that lets an attacker run commands on a compromised device.
These Chinese-based threat groups constantly seek attacks that may benefit their interests. One benefit is that future exploits will be more accessible if they acquire essential data from their next target. Therefore, organisations should fortify their defences to mitigate these groups’ chances of getting attacked.
