Espionage Campaigns by APT40 Attack News Agencies

Intelligence gathered by Proofpoint and PwC identified various cyber espionage campaigns conducted by APT40 (aka TA423, Leviathan and Red Ladon). The group's most recent campaign took place between April 2022 and June 2022, with the group masquerading as news agencies, and the objective to distribute open-source Javascript-based reconnaissance tool ScanBox. The tool is assessed by PwC, to be leveraged privately amongst China-based threat actors. ScanBox is modular with capabilities to gather host system and application information and collect keystrokes. The information collected facilitates follow-up objectives from the threat actor to further compromise the system for intelligence collection. This campaign targeted media sites, government entities, energy and manufacturing industries in Australia, Malaysia, and Europe as well as several entities operating in the South China Sea. The threat group's victimology has stayed consistent over a thirteen-month observation, along with TTPs such as using RTF template injection techniques, and the distribution of ScanBox and Meterpreter.

‍