ClickCease Attackers use Watering Hole Attacks to Install ScanBox Keylogger - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Attackers use Watering Hole Attacks to Install ScanBox Keylogger

Obanla Opeyemi

September 21, 2022 - TuxCare expert team

A China-based threat actor dubbed APT TA423 is carrying out waterhole attacks on domestic Australian organizations and offshore energy companies in the South China Sea to distribute the ScanBox reconnaissance tool to victims.

Waterhole Attack is a cyberattack on a specific organization in which malware is installed on a website that is regularly visited by members of the organization to infect computers used within the organization itself.

In order to successfully carry out their malicious activities, the attackers use the ScanBox framework. ScanBox is a customizable and multifunctional Javascript-based framework that is used by adversaries to carry out and convert reconnaissance operations.

ScanBox keylogger data from “waterholes” are part of a multi-level attack that gives attackers knowledge of potential targets that will help them launch future attacks against organizations.

To execute an attack, the attackers upload the malicious JavaScript to a compromised website where the ScanBox acts as a keylogger, snapping all user-entered activity on the infected website.

TA423 launches its attacks with phishing emails pretending to be from an employee of the “Australian Morning News,” a fictitious organization.

Targets are then advised to visit their “humble news website.” australianmorningnews[.]com. As soon as the target clicks on the link, they are redirected to a website whose contents are copied from actual news websites, and the malware framework is leaked to them.

The primary initial script of a ScanBox keylogger provides a list of information about the target computer, including the operating system, language, and installed version of Adobe Flash. ScanBox also performs an audit for browser extensions, plugins, and components such as WebRTC.

The sources for this piece include an article in ThreatPost.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023

Bitdefender releases decryptor for MegaCortex...

Bitdefender experts have created a universal decryptor for victims of...

January 20, 2023