A report by cybersecurity firm Proofpoint and PwC Threat Intelligence has revealed how Chinese hackers deployed a fake news site to infect government and energy industries in Australia, Malaysia and Europe.
The group known by names such as PT40, Leviathan, TA423 and Red Ladon has been using its fake Australian news site to infect visitors with an exploitation malware known as ScanBox.
“ScanBox is a reconnaissance and exploitation framework deployed by the attacker to harvest several types of information, such as the target’s public-facing IP address, the type of web browser used and its configuration,” explained Proofpoint Vice President for Threat Research and Detection Sherrod DeGrippo.
Once the malware is deployed, it sets the stage for information gathering, exploitation and compromise, said DeGrippo.
“It creates an impression of the victim’s network that the actors then study and decide the best route to take to achieve further compromise.” She explained.
Four members of the group were indicted by the U.S Department of Justice last year for hacking companies, universities and governments in the United States and around the world between 2011 and 2018.
Their latest target was Australian government agencies, news media companies and global heavy industry manufacturers.
The campaign involved phishing from Gmail and Outlook email addresses.
Subject lines in the phishing emails included “Sick Leave,” “User Research,” and “Request Cooperation.”
The attackers would often pose as an employee of the fictional media publication “Australian Morning News,” the blog explained, and provide a URL to their malicious domain, soliciting targets to view their website or share research content that the website would publish.