China-Based Group Uses ScanBox Framework in Espionage Attacks

The group activity has overlaps with APT40, which has continued its “operational tempo” despite a previous indictment by the U.S. Department of Justice in 2021.

A known China-based espionage actor in April leveraged the ScanBox exploitation framework in order to spy on local and federal government agencies and news media companies in Australia, as well as several global companies involved in offshore energy projects in the South China Sea.

The latter type of victim included global heavy industry manufacturers that conduct maintenance of fleets of wind turbines off the shore of the South China Sea. For instance, the threat group launched a phishing attack in March on a European supplier of heavy equipment used in the installation of an offshore wind farm in the Strait of Taiwan called the YunLin Offshore Wind Farm. The targeting of these development projects coincided with a “time of tensions between China and other countries related to development projects of high strategic importance,” said researchers.

The threat actor, known as TA423 or Red Ladon, has overlaps in activity with APT40, which was highlighted by the U.S. Department of Justice in a 2021 indictment that assessed that the group provides long-running support to the Hainan Province Ministry of State Security (MSS) and has focused on intellectual property related to naval technology developed by federally-funded defense contractors globally. Since this July 2021 indictment, however, Proofpoint analysts said in new research this week they have not observed a distinct disruption of operational tempo specifically for phishing campaigns associated with TA423/Red Ladon.

“While the indictment attributed this threat actor to a specific entity operating with support of a Chinese state intelligence agency, the technical details included did not cover the tactics currently in use by the group in the wild,” said Michael Raggi, with Proofpoint, and Sveva Scenarelli at PwC, in a joint Tuesday analysis. “As a result, the group was free to continue its usage of novel phishing techniques like RTF Template Injection which began in early 2021 (before the indictment) and persisted through March 2022.”

“Overall, Proofpoint and PwC collectively expect TA423 / Red Ladon to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions in Australia, Europe and the United States."

These attacks started with phishing emails from Gmail and Outlook email addresses, posing as an employee of a fictional media publication called “Australian Morning News” under the guise of soliciting user feedback, or using a variety of lures, including “Sick Leave,” “User Research” and “Request Cooperation.”

Victims that clicked on the links in the emails were redirected to a site purporting to be the Australian media publication, and were served the ScanBox framework. This reconnaissance framework, which first appeared in 2014, has previously been used by a number of China-based threat groups, including by TA423 in 2018. The framework, which PwC has assessed is “highly likely” to be shared privately among multiple China-based threat actors, allows threat actors to profile their victims (collecting information like language, location and operating system of the victims’ browsers and more, for instance) and deliver further malware to victims. While the framework has typically been delivered from websites that were previously compromised, with malicious JavaScript code being injected into them, in this attack the threat actor already controlled the malicious site. While ScanBox can deliver JavaScript code in one single block, researchers observed the framework using a more modular architecture that is plugin based in the April campaign.

“While delivering the entire code at once would allow threat actors full functionality on a victim system, PwC threat intelligence analysts assess that a primary motivation for selectively loading plugins is likely a way to prevent crashes or errors that might tip off the owners of compromised websites,” said researchers. “PwC assesses that another likely motivation to adopt a modular architecture was to reduce researchers’ visibility and access into the plugins and the threat actor’s toolset.”

The group, which has been active since at least 2014, has had a previous interest in maritime industries, naval defense contractors, and associated research institutions in the United States, Western Europe and the South China Sea, often sending spear phishing emails against targets with the end goal of deploying tools like Cobalt Strike or custom Javascript malware.

“Overall, Proofpoint and PwC collectively expect TA423/Red Ladon to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions in Australia, Europe and the United States,” said researchers.