Hackers trick politicians with fake news website

The culprits have claimed to be from organisations called Australian Morning News, The Australian and Herald Sun

Image:
The culprits have claimed to be from organisations called Australian Morning News, The Australian and Herald Sun

Researchers are pointing the finger of blame at China.

Threat actors allegedly linked to the Chinese government are targeting Australian government agencies, journalists and others by using a fake news website that implants malicious software on victims' computers.

Security researchers at Proofpoint who tracked this phishing campaign said it has been going on for more than a year, and is still continuing.

As part of the scam, the criminals send emails purporting to be from Australian news outlets. The targets are then led to a phoney news website that downloads malicious software onto the target's device, which the culprits use to collect technical data.

The researchers are confident that the China-based TA423 threat group is responsible. The group, also known as APT40, Leviathan and Red Ladon, has been active since 2013.

"We take attribution very seriously," said Proofpoint threat research and detection VP Sherrod DeGrippo.

"We specifically don't release attribution unless we have high confidence."

Proofpoint researchers observed many phishing campaign waves between the 12th April and 15th June as part of the latest attacks. Emails in the most recent effort included subject lines like 'Sick Leave,' 'User Research,' and 'Request Cooperation,' and claimed to be from 'Australian Morning News.'

Some emails requested recipients to review the site and consider writing for it.

Those who visited the website were served with a copy of the ScanBox framework via JavaScript execution and staged module loading.

ScanBox is built on JavaScript and gives threat actors access to victim profiles, as well as the ability to check their visited websites and to deliver next-stage payloads to specific targets.

At least six China-based threat actors have used ScanBox in the past, and there is enough evidence to conclude that the toolkit has been in use since at least 2014.

"Scanbox essentially is a web reconnaissance and exploitation framework," DeGrippo said.

The latest attack seems to target persons engaged in energy production, such as offshore energy exploration in the South China Sea, wind turbine manufacturing and alternative energy, as well as those involved in defence contracting and healthcare and financial services.

Based on current evidence from the targeting tools and techniques, Proofpoint concluded that the 2022 campaign is the third phase of the same intelligence-gathering effort APT40 has been conducting since March 2021.

The threat actors at that time pretended to be journalists from publications like 'The Australian' and 'Herald Sun', performing RTF Template injections and installing Meterpreter on the victims' computers as a result.

The group has a lengthy history of cyber attacks, leading the US Department of Justice to charge four APT40 members in July 2021.