ScanBox Framework 2023
In this article we will learn about ScanBox Framework.
Introduction about ScanBox Framework:
ScanBox is a framework in the form of a JavaScript file. ScanBox’s function is to collect information about the visitor’s system without infecting the system.And this information includes things like the last page the user was on before visiting the compromised site, the system’s operating system and system language settings, screen width and height, web browsers used by the victim, geographic location, security software used, and programs used such as Java, Acrobat Reader, MS Office and Adobe Flash.
ScanBox can also record keystrokes a victim makes on a website under the attacker’s control, which may include passwords and other sensitive user information. And all this information is then sent to a remote C&C server controlled by the attackers.
The purpose of ScanBox is to gather information that will later be exploited to compromise specific targets. The ScanBox framework has been deployed on several websites belonging to different companies and organizations in different countries.
The attackers managed to compromise the website and include code that loaded a malicious JavaScript file from a remote server.
ScanBox is particularly dangerous because it doesn’t require malware to be successfully deployed to a drive to steal information. Instead, the key logging feature would do the same job by simply requiring the web browser to run the JavaScript code.
The framework also facilitates surveillance and allows attackers to exploit vulnerabilities in visitor systems by pushing and running malware.
ScanBox is designed as a modular and reusable exploit kit based on JavaScript.
It allows a smaller number of sophisticated attackers to first compromise a website using basic attacks such as SQL injection or WordPress bugs and set up a waterhole attack to infect hundreds to thousands of victims who visit the website.
Some of the recent attacks that have used ScanBox are as follows:
Table 1: List Of Attacks
| Month Identified | Country | Sector/Type | Scan Box domain |
| August 2014 | JP | Industrial sector | js.webmailgoogle.com |
| September 2014 | CN | Uyghur | code.googlecaches.com |
| October 2014 | US | Think tank | news.foundationssl.com |
| October 2014 | KR | Hospitality | qoog1e.com |
Analysis of the script used in these attacks revealed that the underlying codes are essentially the same and differ in implementation. This shows that various attackers are using ScanBox as a tool for their attack. In each case, the framework was modified according to the victims’ browsers and other factors.
The researchers say the changes may be the result of upgrades within the framework.
The common code base in all attacks leads to the conclusion that all attackers share some resources when using this framework.
Working
Step 1:
The basic step of the ScanBox framework is the configuration of the C&C server. This server helps to collect and store the information obtained from the hacked website.
Step 2:
The collected information is first encrypted before sending it to the C&C server to ensure security.
. 
Figure 2: Function for data encryption
Step 3:
After completion of the encryption process the following request is passed:
Figure 3: Request produced after encryption
Step 4:
The encrypted data finally reaches the C&C server and is decrypted to obtain the original data. These pieces of information are the key for starting the attack.
Figure 4: Decrypted data
Figure 5: Working of ScanBox framework
Plugins
Between them, several plugins are loaded to extract the required information. These are added selectively to avoid any suspicious notification on page load.
Some plugins are used during the process:
Pluginid 1: List the software installed on the system and also check if different versions of Enhanced Mitigation Experience Toolkit (EMET) are running on the system.
- Pluginid 2: Specifies the version of Adobe Flash
- Pluginid 5: Specifies the version of Microsoft Office
- Pluginid 6: Enumeration of Adobe Reader versions
- Pluginid 8: Lists Java versions
- Pluginid 21: Places a keylogger on the compromised website. It records all the keystrokes a person makes on the web. Logs may contain account password and other details. Recorded logs are sent to the appropriate command and control center. This information is later used to launch an attack against a specific user.
- ScanBox’s keylogger feature helps an attacker collect data without loading malware from disk. Therefore, no malware removal tool will be able to find it.
The plugins required to load the page in different browsers are different. The attacker should be well aware of the version and type of browser the victim is using. As required, plugins are loaded so that the desired result can be achieved.
Below is a list of plugins loaded for each browser at code.googlecaches.com.
Table 2: Plugins loaded per browser on code.googlecaches.com
| Plugin ID | Description | Internet Explorer | Chrome | Firefox | Safari |
| 1 | Software reconnaissance | Y | N | N | N |
| 2 | Browser plugin | N | Y | Y | Y |
| 3 | Flash recon | Y | Y | Y | Y |
| 4 | SharePoint recon | Y | N | N | N |
| 5 | Adobe PDF reader recon | Y | N | N | N |
| 6 | Chrome security plugins recon | N | N | Y | N |
| 7 | Java recon | Y | Y | Y | Y |
| 8 | Internal IP recon | N | Y | N | N |
| 9 | JavaScript keylogger | Y | Y | Y | Y |
Google Chrome has been found to be less vulnerable to such attacks than others on the list due to their security update every 15 days, which makes it a bit more difficult to carry out an attack. Also, the Aviator web browser set by WhiteHat Security provides impressive privacy and security settings by default.
Attack on the watering hole
This is a type of attack that is primarily aimed at businesses and organizations. Waterholing attacks are controlled by the ScanBox framework. The attacker tracks the websites that the victim visits frequently and infects them with malware.
These types of attacks are difficult to detect. Once the target victim accesses the infected website, the malware finds its way into the victim’s network or system.
The malware released can be in the form of a Remote Access Trojan (RAT), which allows the attacker to access sensitive and personal information. The main goal of a watering attack is not to serve maximum malware to the system, but to exploit the sites frequently visited by the targeted victim.
A waterhole attack could be done using the ScanBox framework. In this method, JavaScript does its job and protects the attacker from using malware. This type of attack using ScanBox is much more effective than using malware and could not be detected by any malware removal tool. A list of waterhole attacks that used ScanBox can be seen in Table 1.
Measures
Regular Software Update: Timely software upgrade reduces vulnerability to such attacks.
Vulnerability Shield: Helps scan suspicious traffic and any deviations from commonly used protocols.
Network Traffic Detection: Although hackers find different ways to access information, the traffic generated by the final malware when communicating with the C&C server remains consistent. Identifying these paths helps to take control of the effect of such attacks.
Threat Intelligence: Subscriptions to leading threat intelligence providers help you track down all command and control servers it connects to. These C&C servers can be fed into proxy or perimeter devices to see whether or not successful communication has been established.
Least Privilege: The concept of least privilege must be implemented for all users who log on to the computer. Administrator authority must be limited to certain users only.
Next-generation firewall: Using a next-generation firewall can detect this type of attack more easily because they have a built-in sandbox.
SIEM: By using a SIEM solution, security administrators will be able to monitor all traffic by capturing logs. It will provide a holistic view of what is happening on your network with a few clicks on a single dashboard.
Related article:Certified Ethical Hacker study resources 2023
Conclusion
According to the detailed analysis of ScanBox framework, we can say that it could be very dangerous if the user is not careful. Thorough computer and network monitoring and analysis should contain such attacks to some extent.
References
- http://pwc.blogs.com/cyber_security_updates/2014/10/
- http://krebsonsecurity.com/tag/ScanBox-framework/
- https://www.alienvault.com/open-threat-exchange/blog/ScanBox-a-reconnaissance-framework-used-on-watering-hole-attacks
- http://securityaffairs.co/wordpress/28040/cyber-crime/watering-hole-attacks-reconnaissance.html
