Researchers have uncovered a sophisticated watering hole attack conducted by APT TA423. This campaign utilizes the ScanBox framework to distribute keylogging malware. The attacks target domestic Australian organizations and offshore energy firms in the South China Sea. Initial phishing emails with titles such as “Sick Leave,” “User Research,” and “Request Cooperation” directed targets to visit a compromised website associated with the fictional news organization, ‘Australian Morning News’. This website actually served ScanBox malware.
ScanBox is a customizable JavaScript-based reconnaissance tool designed for covert intelligence operations without deploying malware. By employing this framework in conjunction with watering hole attacks, APT TA423 can gather sensitive information through keylogging user activities on compromised websites. The initial script sourced details about the target’s computer, including the operating system and installed browser extensions. This multi-stage attack provides valuable insights into potential targets for future campaigns.
APT TA423 is believed to operate out of Hainan Island in China and supports the local Ministry of State Security (MSS), which engages in counter-intelligence, foreign intelligence, and cyber espionage efforts.