Watering Hole Attacks Push ScanBox Keylogger

Watering Hole Attacks Push ScanBox Keylogger Author: Nate Nelson August 30, 2022 12:00 pm minute read Share this article: Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool. A China-based threat actor has ramped up efforts to distribute the ScanBox reconnaissance framework to victims that include domestic Australian organizations and offshore energy firms in the South China Sea. The bait used by the advanced threat group (APT) is targeted messages that supposedly link back to Australian news websites. The cyber-espionage campaigns are believed to have launched April 2022 through mid-June 2022, according to a Tuesday report by Proofpoint’s Threat Research Team and PwC’s Threat Intelligence team. The threat actor, according to researchers, is believed to be the China-based APT TA423, also known as Red Ladon. “Proofpoint assesses with moderate confidence that this activity may be attributable to the threat actor TA423 / Red Ladon, which multiple reports assess to operate out of Hainan Island, China,” according to the report. The APT is most recently known for a recent indictment. “A 2021 indictment by the US Department of Justice assessed that TA423 / Red Ladon provides long-running support to the Hainan Province Ministry of State Security (MSS),” researchers said. MSS is the civilian intelligence, security and cyber police agency for the People’s Republic of China. It is believed responsible for counter-intelligence, foreign intelligence, political security and tied to industrial and cyber espionage efforts by China. Dusting Off the ScanBox The campaign leverages the ScanBox framework. ScanBox is a customizable and multifunctional Javascript-based framework used by adversaries to conducting covert reconnaissance. ScanBox has been used by adversaries for nearly a decade and is noteworthy because criminals can use the tool to conduc