What Does ScanBox Malware Do To Your Computer?
Security researchers with Proofpoint published their findings on a long espionage campaign conducted by a Chinese threat actor. The group used a malicious tool called ScanBox.
The threat actor behind the ScanBox campaign targeted entities in Asia, Europe, and Australia and the victims include government entities, media outlets and industrial enterprises. Researchers believe that the attack was conducted by the threat actor known under the aliases APT40 and Leviathan.
The ScanBox malware was distributed using malicious emails posing as sick leave notices or requests for cooperation. The malicious actors owned and operated the domain used in the attacks, belonging to a fake media company called "Australian Morning News". The emails would sometimes contain a link to the hacker-controlled website under the pretense that the victims could share content for publication.
ScanBox uses JavaScript and can deliver further malicious payloads. The malware also loads plugins inside the victim's browser that allow for keystroke logging, communication between compromised systems and checking for installed antivirus software.
Later attacks using ScanBox relied on malicious office documents that would trigger a multi-stage infection chain, ultimately delivering the ScanBox payload.