Drawing from its research and information provided by the PricewaterhouseCoopers (PwC) Threat Intelligence team, Proofpoint shed light on this widespread phishing campaign. Red Ladon’s attack reportedly begins with a phishing email containing a URL to a malicious website that’s disguised to look like a news site. When victims visit the site, their devices are injected with the ScanBox malware. ScanBox is a JavaScript-based reconnaissance and exploitation tool.
International Cyber Espionage Campaign
Red Ladon’s politically motivated attacks are usually aimed at organizations that operate in the South China Sea region. However, in this case, Proofpoint found the hacker group targeting victims in Thailand, Malaysia, Singapore, and as far as Germany and the US. The victims of the phishing campaign, which occurred between April and June this year, include government officials and agencies, banks, media companies, public healthcare organizations, military research institutions, and organizations involved in the energy sector. To provide details on the modus operandi of Red Ladon’s phishing campaign, Proofpoint highlighted the group’s attacks on Malaysia’s Kasawari Gas and Taiwan’s Yunlin Offshore Windfarm. Red Ladon’s victims receive emails from hackers masquerading as reporters from a fabricated media news agency named Australian Morning News. Proofpoint researchers found that the URL used in the cyber espionage campaign — australianmorningnews[dot]com — was registered on April 8. These phishing emails came with subject lines like “User Research” and “Request Cooperation” and were laced with a tracking code to allow the hackers to identify which of their targets visited the malicious news site. To appear legitimate, the hackers used English names like “Blair Goodland,” “Manalo,” and “Bethel Giffen” in their emails. Each email had a different fake name. Some of these emails talked about cooperation requests and editorial positions. Upon clicking the URL in the email, victims were led to a fake news site populated with stories taken from BBC News and other news outlets. While the victims probably scanned the site, their devices were surreptitiously infected with the ScanBox malware, which has keylogging and browser fingerprinting abilities.
About Red Ladon
Red Ladon, also known as TA423, has been on the radar of intelligence agencies and cybersecurity companies. The group was implicated in a wave of cyberattacks on Australian state and private organizations in 2020. This is not the first time the group has spoofed media outlets to snag unsuspecting victims. Proofpoint suspects the group is identified by other names in some indictments. “Activity which overlaps with this threat actor has been publicly referred to in governmental indictments as “APT40” and “Leviathan,”” Proofpoint researchers wrote. Red Ladon has been active since 2013 and is believed to have ties to China’s Ministry of State Security (MSS). The group was one of the many threat actors charged by the US Justice Department in 2021. To avoid falling victim to a malicious cyber espionage scheme like this one, learn all about phishing in our detailed guide to phishing.