The Bait: Fake News Articles
Researchers at Proofpoint’s Threat Research Team and PwC’s Threat Intelligence team discovered that the APT used fake news articles as bait to lure victims into clicking on a link that would lead them to a compromised website. The websites, which appeared to be legitimate news sites like the BBC and Sky News, actually delivered the ScanBox JavaScript-based reconnaissance tool.
The ScanBox Keylogger: A Stealthy Malware
ScanBox is a customizable and multifunctional framework used by adversaries to conduct covert reconnaissance. Unlike traditional malware, ScanBox doesn’t require physical access to a system to steal sensitive information; it relies on JavaScript code executed by a web browser. This makes it particularly dangerous, as it can capture all typed activity on the infected watering hole website.
How ScanBox Works
The ScanBox framework acts as a keylogger, snagging user data from compromised websites. It also implements WebRTC (Web Real-Time Communication) technology to establish real-time communication between browsers and mobile applications. This allows the APT to connect to pre-configured targets and gather valuable intelligence on potential victims.
STUN: Enabling NAT Traversal
ScanBox uses STUN (Session Traversal Utilities for NAT), a standardized set of methods that allows interactive communications to traverse network address translator (NAT) gateways. This enables the APT to communicate with victim machines even if they are behind NAT, making it more difficult to detect and mitigate attacks.
Threat Actors: Supporting Chinese Government Interests
The TA423 APT group is believed to be supporting the Chinese government in matters related to the South China Sea, including during recent tensions in Taiwan. The group’s focus on naval issues is likely to remain a priority in regions like Malaysia, Singapore, Taiwan, and Australia.
A Persistent Threat
Despite a 2021 Department of Justice indictment that revealed the group’s involvement in stealing trade secrets and confidential business information from victims worldwide, TA423 has continued to operate with little disruption. Analysts expect the APT to continue pursuing its intelligence-gathering and espionage mission, making it essential for organizations and governments to remain vigilant against these types of attacks.
Takeaways
- APT TA423 is using watering hole attacks to distribute the ScanBox keylogger framework.
- ScanBox is a stealthy malware that can capture user data without requiring physical access to a system.
- The use of STUN technology enables NAT traversal, making it more difficult to detect and mitigate attacks.
- Organizations operating in regions with high APT activity should prioritize security measures to protect against these types of threats.