According to an article in PCWorld.com – financial and business information has been stolen from multiple shipping + logistics firms using a complex malware embedded into scanners shipped to the supply-chains handlers.
Malware found in scanners used in the logistics + shipping was a complex malware injection system.
The scanners are typically used to track the parcels + shipments, but these scanners had a piece of malware code inserted into the scanners and Windows XP Embedded firmware which was available for download from the Chinese manufacturer’s website.
The goal of the malware was to use SMB + Radmin protocols to look for servers on the same network – so the scanners acted as a “trojan horse” – once inside the organization, their “job” was to find servers running ERP software with the word “finance” in their names, and then to attempt to exploit them. Once exploited, a second phase of deployment was installed, which allowed control of the servers from Lanxiang Vocational School in China’s Shandong province – where 3rd level and more advanced control mechanisms are deployed from.
This is not the first time that Lanxiang Vocational School has been linked to cyber-espionage attacks – previously, the school was involved in attacks against Google and other companies in part of a cyber-espionage campaign called Operation Aurora.
Since detection, this threat known as “TrapX” has been found active in 7 victims in the shipping + logistics industry – and it is not know whether the chinese manufacturer of the scanners is complicit in the spreading of this malware, or an unwitting victim.