From TrustWave: Attacker Tracking Users Seeking Pakistani Passport

TrustWave reports:

A couple of days ago we encountered a breach on a Pakistani government site which was compromised to deliver a dangerous payload- the Scanbox Framework. This compromise is exactly the kind of attack we were concerned about when discussing the danger in a previous compromise that we uncovered just a few weeks ago against another government site, at that time the Bangladesh Embassy in Cairo.

The compromised Pakistani domain,[.]pk, is a subdomain of the Directorate General of Immigration & Passport of the Pakistani government that allows passport applicants to track the status of their application. Visitors to the site load the Scanbox javascript code from a remote location. This code collects information about the visitor’s machine as well as log any keystrokes the visitor makes while using the site, for example when logging into the tracking system.

In this version that we observed, Scanbox also tried to detect whether the visitor has any of a list of 77 endpoint products installed, most of these are security products, with a few decompression and virtualization tools.

Scanbox Framework is a reconnaissance framework that was first mentioned back in 2014 and has been linked over the years to several different APT groups. It was used in a watering hole attacks, meaning the attacker infected a site with Scanbox in order to gather information about visitors to the site (gathering all the information you’d expect like IP, referrer, OS, User Agent, plugins, etc.) to later on tailor sophisticated targeted attacks for interesting visitors.

Scanbox was widely used during the years 2014-2015, its activity during these years has been well-covered in a paper written by PwC. It was then seen again in  2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse. With every appearance it seems to have evolved in terms of the kinds of information it gathers.

Our earliest detection for Scanbox was on March 2nd, 2019 and though we can’t say for sure how long before that Scanbox has been gathering information, we know with certainty that on that day alone Scanbox managed to collect information on at least 70 unique site visitors, about a third of them with recorded credentials.

On March 7th, a day following the start of our deeper investigation, the Scanbox server mysteriously stopped responding, but a VT scan from the time when it was still active shows low detection rates for this server as well:

We contacted the site regarding this infection, but as of the time of publishing this blog post have received no response and the site remains compromised. As mentioned above, the Scanbox server currently appears inactive, but the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will.

These recent cases raise concerns regarding the security of government sites, especially ones where services provided online may involve access to sensitive information. From the perspective of an APT, a tool like Scanbox would only be the beginning of a potentially more elaborate attack.

Trustwave SWG customers are, and have been, protected against the Scanbox Framework since 2014 when it first appeared.