Attackers use Watering Hole Attacks to Install ScanBox Keylogger
A China-based threat actor dubbed APT TA423 is carrying out waterhole attacks on domestic Australian organizations and offshore energy companies in the South China Sea to distribute the ScanBox reconnaissance tool to victims.
Waterhole Attack is a cyberattack on a specific organization in which malware is installed on a website that is regularly visited by members of the organization to infect computers used within the organization itself.
ScanBox keylogger data from “waterholes” are part of a multi-level attack that gives attackers knowledge of potential targets that will help them launch future attacks against organizations.
TA423 launches its attacks with phishing emails pretending to be from an employee of the “Australian Morning News,” a fictitious organization.
Targets are then advised to visit their “humble news website.” australianmorningnews[.]com. As soon as the target clicks on the link, they are redirected to a website whose contents are copied from actual news websites, and the malware framework is leaked to them.
The primary initial script of a ScanBox keylogger provides a list of information about the target computer, including the operating system, language, and installed version of Adobe Flash. ScanBox also performs an audit for browser extensions, plugins, and components such as WebRTC.
The sources for this piece include an article in ThreatPost.