ScanBox Framework

February 27, 2015 by Ryan Mazerik

ScanBox is a framework in the form of a JavaScript file. The function of ScanBox is to collect information about the visitor’s system without infecting the system. And this information includes things like the last page the user was on before visiting the compromised website, the OS of the system and the language settings of the system, the screen width and height, the web browsers used by the victim, the geographical location, security softwares used and programs like Java, Acrobat Reader, MS Office and Adobe Flash versions used.

ScanBox also can log the keystrokes the victim is typing inside the website under the control of the attacker, which could include the passwords and other sensitive information of the users. And all this information is then sent to a remote C&C server controlled by the attackers. ScanBox’s goal is to collect information that will later be misused to compromise specific targets. The ScanBox framework has been deployed on several websites belonging to disparate companies and organizations in different countries. Attackers were able to compromise the website and include code that loaded a malicious JavaScript file from a remote server.

ScanBox is particularly dangerous, as it doesn’t require malware to be successfully deployed to disk in order to steal information. Instead the key logging functionality would do the same work by simply requiring the JavaScript code to be executed by the web browser. The framework also facilitates surveillance, enabling attackers to exploit vulnerabilities in visitors’ systems by pushing & executing malware.

ScanBox is designed to be a modular and reusable JavaScript based exploit kit. It allows a lesser number of sophisticated attackers to first compromise a website using basic attacks such as SQL injection or WordPress bugs and set up a waterhole attack to infect hundreds to thousands of victims who visit that website.

Some of the recent attacks which used ScanBox are the following:

Table 1: List Of Attacks

Month Identified



Scan Box domain

August 2014


Industrial sector


September 2014




October 2014


Think tank


October 2014




By analyzing the script used in these attacks, it has been found that the base codes are pretty much the same and they differ in implementation. This shows that different attackers are using ScanBox as a tool for their attack. The framework was altered according to the victims’ browsers and other factors in every case. Researchers say that the changes may be the result of the upgrades in the framework. The common codebase in all the attacks leads to a conclusion that all the attackers share some resources in using this framework.


Step 1:

The basic step of the ScanBox framework is to configure the C&C server. This server helps to collect and store the information obtained from the compromised website.

Figure 1: ScanBox framework for collecting data

Step 2:

The collected information is first encrypted before sending it to the C&C server to ensure security.


Figure 2: Function for data encryption

Step 3:

After completion of the encryption process the following request is passed:

Figure 3: Request produced after encryption

Step 4:

The encrypted data finally reaches the C&C server and is decrypted to obtain the original data. These pieces of information are the key for starting the attack.

Figure 4: Decrypted data

Figure 5: Working of ScanBox framework


Several plugins are loaded accordingly in between to extract the required information. These are selectively added to avoid any kind of suspicious alerts when the page loads.

The following are some plugins used during the process:

  • Pluginid 1: List the software installed in the system and also to check if the system is running any different versions of EMET (Enhanced Mitigation Experience Toolkit).

Figure 6: Pluginid 1 code

  • Pluginid 2: Determines Adobe Flash versions
  • Pluginid 5: Determines Microsoft Office versions
  • Pluginid 6: Enumerates Adobe Reader versions
  • Pluginid 8: Lists Java versions
  • Pluginid 21: Plants a keylogger inside the compromised website. It records all the keystrokes the person is typing in the website. The logs may include account password and other details. The recorded logs are sent to the corresponding command and control center. This information is later used to launch an attack against the particular user.

The keylogger feature of ScanBox helps the attacker to collect the data without loading a malware from the disc. Therefore any malware removal tool won’t be able to find this.

Figure 7: Keylogger plugin code

The plugins required to load a page on different browsers are different. An attacker should be well aware of the version and type of browser used by the victim. According to the requirement, the plugins are loaded so that the desired result could be obtained. The following is the list of plugins loaded per browser on code.googlecaches.com.

Table 2: Plugins loaded per browser on code.googlecaches.com

Plugin ID


Internet Explorer





Software reconnaissance






Browser plugin






Flash recon






SharePoint recon






Adobe PDF reader recon






Chrome security plugins recon






Java recon






Internal IP recon






JavaScript keylogger





It has been found that Google Chrome is less vulnerable to such attacks than others on the list due to their security update between the interval of 15 days, which makes it a bit difficult to carry out the attack. Also the Aviator Web browser set up by WhiteHat Security provides impressive privacy and security settings by default.

Watering Hole Attack

This is a type of attack is mainly targeted on businesses and organizations. Waterholing attacks drive the ScanBox framework. The attacker keeps an eye on the websites the victim visits frequently and infects the websites with a malware. These type of attacks are hard to detect. Once the targeted victim enters the infected website, the malware finds a way into the victim’s network or system. The dropped malware may be in the form of a Remote Access Trojan (RAT), which allows the attacker to access delicate and personal information. The main goal of the watering hole attack is not to serve maximum malware to the system, but to exploit the websites frequently visited by the targeted victim.

Figure 8: Watering hole working

A watering hole attack could be carried out with the help of ScanBox framework. In this method the JavaScript does its job and saves the attacker from using a malware. This type of attack using ScanBox has much more efficiency than using a malware and could not be detected by any malware removal tool. You can see the list of watering hole attacks which used ScanBox in Table 1.


  • Regular Software Updating: Timely upgrade on the software reduces the vulnerability of such attacks.
  • Vulnerability Shielding: It helps to scan suspicious traffic and any deviation from the normal protocols used.
  • Network Traffic Detection: Even though hackers find different ways to access the information, the traffic generated by the final malware in communicating with the C&C server remains consistent. Identifying these paths helps to take control of the effect of such attacks.
  • Threat Intelligence: A subscription of prominent threat intelligence providers will help you to track down all the command and control servers that it connects to. These C&C servers can be fed to proxy or perimeter devices to see any successful communication has been established or not.
  • Least privilege: The concept of least privilege has to be implemented on all users who log on to the machine. Admin privilege has to be limited to certain users only.
  • Next generation firewall: Use of a next generation firewall can detect such type of attacks easier, as they have an inbuilt sandbox.
  • SIEM: By using a SIEM solution, security administrators will be able to monitor all the traffic by capturing the logs. It will give a holistic view of what is happening on your network with a few clicks on a single dashboard.


By the detailed analysis of ScanBox framework, we can say that it could be very dangerous if the user is not cautious. Thorough monitoring and analysis of computer and network should keep such attacks bolted to an extent.


Posted: February 27, 2015
Ryan Mazerik
View Profile

Ryan has over 10yrs of experience in information security specifically in penetration testing and vulnerability assessment. He used to train and mentor consultants of these offerings to expand security delivery capabilities.He has strong passion in researching security vulnerabilities and taking sessions on information security concepts.