ScanBox, reported by AlienVault Labs in August, is primarily a reconnaissance tool that, in addition to the keylogger, enumerates software installed on the system, including security software, Adobe Flash and Reader versions, Office version and Java versions. All of this system information is encrypted and sent via a backdoor connection to a command and control server.
“This is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them,” wrote AlienVault Labs director Jaime Blasco.
PwC, meanwhile, took the ball and ran with it, identifying a number of the other attacks where ScanBox has been deployed. All of the attacks relied on a watering hole to spread ScanBox. The targets, however, went beyond the industrial target uncovered by AlienValult in August. One month later, the code was used in China in attacks targeting Uyghur activists in a compromise of code[.]googlecaches[.]com, and again in two other attacks in October. The first was against a U.S. government think tank via a compromise of news[.]foundationssl[.]com and another against a hospitality site in South Korea qoog1e[.]com.
“This variation was our first clue that more than one actor may be using the framework (although on its own this would not be enough – some actors do target a wide range of organisations, some also focus on specific geographies or sectors),” Doman and Lancaster wrote.
The PwC researchers said they noticed implementation differences in the same codebase, alerting them that different actors may be using the same code. There were differences in how the malicious code was delivered on two of the sites versus the other two. In two attacks, for example, the malware was delivered as a single block of code, while in the other two, it was delivered via plug-ins.
Analysis of the attackers’ respective infrastructure gave other clues that multiple groups had taken a liking to ScanBox. None of the four attacks used the same nameserver or malware families, while the only visible overlap is that two attacks used GoDaddy as a domain registrar.
“We have been unable to identify any direct overlaps between the clusters, i.e. shared domains or IP addresses, neither have we been able to determine any softer linkages beyond the reuse of the GoDaddy registrar,” the PwC report said.
As in other attacks, some threat actors share resources from centralized state-sponsored or criminal development teams or exploit kits are outright stolen from public watering holes by other attack groups, PwC. Or it could be the same group behind all four attacks and that same group targets widely and adapts code for different targets, Doman and Lancaster said.
“In our view, the hypothesis with the highest probability is that groups of attackers share resources leading to overlaps – this appears to be an ever more common feature – with malware families, builders, and even sometimes hosting infrastructure being shared between disparate actors with a common goal,” Doman and Lancaster said. “Sharing frameworks like ScanBox or other exploit kits allows less sophisticated actors (who were themselves unable to develop a tool like ScanBox) to conduct better attacks.”