Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Attacker Tracking Users Seeking Pakistani Passport

A few days ago we encountered a breach on a Pakistani government site which was compromised to deliver a dangerous payload- the Scanbox Framework. This compromise is exactly the kind of attack we were concerned about when discussing the danger in a previous compromise that we uncovered just a few weeks ago against another government site, at that time the Bangladesh Embassy in Cairo.

The compromised Pakistani domain, tracking.dgip.gov[.]pk, is a subdomain of the Directorate General of Immigration & Passport of the Pakistani government that allows passport applicants to track the status of their application. Visitors to the site load the Scanbox javascript code from a remote location. This code collects information about the visitor’s machine as well as log any keystrokes the visitor makes while using the site, for example when logging into the tracking system.

In this version that we observed, Scanbox also tried to detect whether the visitor has any of a list of 77 endpoint products installed, most of these are security products, with a few decompression and virtualization tools.

Scanbox Framework is a reconnaissance framework that was first mentioned back in 2014 and has been linked over the years to several different APT groups. Its intense activity during the 2014-2015 years has been well-covered in a paper written by PwC. It was then seen again in 2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse.

Scanbox was used in a variety of watering hole attacks, meaning the attacker infected a site with Scanbox in order to gather information about visitors to the site (gathering all the information you’d expect like IP, referrer, OS, User Agent, plugins, etc.) to, later on, tailor sophisticated targeted attacks for interesting visitors. With every appearance, it seems to have evolved in terms of the kinds of information it gathers.

Despite the severity of this infection, scans show an alarming lack of detection for this compromised site by security products:

VT-tracking

Figure 1: VirusTotal scan results for the compromised URL

Zscaler-tracking

Figure 2: zscaler scan results for the compromised URL

Symantec-tracking

Figure 3: Symantec scan results for the compromised URL

Our earliest detection of Scanbox on this Pakistani government site was on March 2nd, 2019 and though we can’t say for sure how long before that Scanbox has been gathering information, we know with certainty that on that day alone Scanbox managed to collect information on at least 70 unique site visitors, about a third of them with recorded credentials.

VictimsByCountry-All

Figure 4: Geo-location distribution of known victims

Shortly after we began our deeper investigation the Scanbox server mysteriously stopped responding, but a VT scan from the time when it was still active shows low detection rates for this server as well:

VT-Scanbox

Figure 5: VirusTotal scan results for the Scanbox server

We contacted the Pakistani government site regarding this infection, but as of the time of publishing this blog post have received no response and the site remains compromised. As mentioned above, the Scanbox server currently appears inactive, but the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will.

These recent cases raise concerns regarding the security of government sites, especially ones where services provided online may involve access to sensitive information. From the perspective of an APT, a tool like Scanbox would only be the beginning of a potentially more elaborate attack.

Trustwave SWG customers are and have been, protected against the Scanbox Framework since 2014 when it first appeared.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo