Threat Database Malware ScanBox Malware

ScanBox Malware

ScanBox Malware is a threat that can be used by cybercriminals to perform numerous, intrusive actions on breached devices. The threat is mostly associated with the activities of Chinese-backed hacking organizations. Some of the more notable threat actors that have deployed the ScanBox frameworks as part of their attack campaigns include APT10 (Red Apollo, Stone Panda), APT27 (Emissary Panda, Lucky Mouse, Red Phoenix), and TA413 (Lucky Cat). According to a report by cybersecurity researchers, ScanBox has more recently been a crucial component of a series of phishing attacks carried out by APT40. This cybercriminal group is also known as TA423, Red Ladon and Leviathan.

The attacks were focused primarily on Australian Governmental agencies, Australian news and media companies, as well as international heavy industry manufacturers operating in the South China Sea. APT40 has an established pattern of targeting entities in the Asia-Pacific region and, more specifically, the South China Sea. Back in 2021, the U.S. government stated that there is evidence that this particular APT (Advanced Persistent Threat) group has ties to the Ministry of State Security of China.

Attack Details

The ScanBox attacks begin with the dissemination of phishing emails containing a URL leading to a domain controlled by hackers. Cybercriminals would pretend that they are an employee of a fabricated Australian media publication company named 'Australian Morning News.' They would ask the targets to share research content to be published by the fake company or view its website by following a provided URL link.

The landing page of the website is designed to deliver a JavaScript payload of the ScanBox framework to the target. This initial component can collect various information about the computer of the victim - current time, browser language, the installed Flash version, geolocation, the width and height of the screen, any character encoding and more. All of the obtained data is transmitted to the Command-and-Control (C&C, C2C) server of the operation.

The C&C will send a response containing instructions about which corrupted plugins should be fetched and executed in the victim's browser. The modules are designed to perform specific tasks, depending on the exact goals of the attackers. The cybersecurity researchers have identified multiple such plugins for keylogging, browser fingerprinting, peer connection, a plugin that checks for specific security and anti-malware tools, and a plugin that can identify the legitimately installed browser plugins.


Most Viewed