Hackers trick politicians with fake news website

Threat actors allegedly linked to the Chinese government are targeting Australian government agencies, journalists and others using a fake news website that implants malware on victims’ computers.

Proofpoint security researchers who tracked this phishing campaign says it’s been going on for over a yearand still continues.

As part of the scam, the criminals send emails claiming to be from Australian media. The targets are then directed to a fake news website that downloads malware onto the target’s device, which the culprits use to collect technical data.

Researchers are convinced that the China-based threat group TA423 is responsible. The group, also known as APT40, Leviathan and Red Ladon, has been active since 2013.

“We take attribution very seriously,” said Sherrod DeGrippo, vice president of research and threat detection at Proofpoint.

“We only specifically release the attribution if we have high confidence.”

Proofpoint researchers observed numerous waves of phishing campaigns between April 12 and June 15 in the latest attacks. Emails from the most recent effort included subject lines such as “Sick leave”, “Looking for users” and “Request for cooperation”, and claimed to be from “Australian Morning News”.

Some emails asked recipients to check out the site and consider writing for it.

Those who visited the website received a copy of the ScanBox framework via running JavaScript and loading the module in stages.

ScanBox is built on top of JavaScript and gives threat actors access to victim profiles, as well as the ability to verify their visited websites and deliver next-step payloads to specific targets.

At least six China-based threat actors have used ScanBox in the past, and there is enough evidence to conclude that the toolkit has been in use since at least 2014.

“Scanbox is essentially a web reconnaissance and exploitation framework,” DeGrippo said.

The latest attack appears to target people engaged in energy production, such as offshore energy exploration in the South China Sea, wind turbine manufacturing and alternative energy, as well as those involved in defense contracts and services health and finances.

Based on current evidence of targeting tools and techniques, Proofpoint concluded that the 2022 campaign is the third phase of the same intelligence gathering effort that APT40 has been conducting since March 2021.

Threat actors at the time posed as journalists from publications such as “The Australian” and “Herald Sun”, injecting RTF patterns and installing Meterpreter on victims’ computers as a result.

The group has a long history of cyberattacks, which led the US Department of Justice to indict four APT40 members in July 2021.

Daniel L. Vasquez