FREE role-guided training plans
Some of the recent attacks which used ScanBox are the following:
Table 1: List Of Attacks
Scan Box domain
By analyzing the script used in these attacks, it has been found that the base codes are pretty much the same and they differ in implementation. This shows that different attackers are using ScanBox as a tool for their attack. The framework was altered according to the victims' browsers and other factors in every case. Researchers say that the changes may be the result of the upgrades in the framework. The common codebase in all the attacks leads to a conclusion that all the attackers share some resources in using this framework.
The basic step of the ScanBox framework is to configure the C&C server. This server helps to collect and store the information obtained from the compromised website.
Figure 1: ScanBox framework for collecting data
The collected information is first encrypted before sending it to the C&C server to ensure security.
Figure 2: Function for data encryption
After completion of the encryption process the following request is passed:
Figure 3: Request produced after encryption
The encrypted data finally reaches the C&C server and is decrypted to obtain the original data. These pieces of information are the key for starting the attack.
Figure 4: Decrypted data
Figure 5: Working of ScanBox framework
Several plugins are loaded accordingly in between to extract the required information. These are selectively added to avoid any kind of suspicious alerts when the page loads.
The following are some plugins used during the process:
Pluginid 1: List the software installed in the system and also to check if the system is running any different versions of EMET (Enhanced Mitigation Experience Toolkit).
Figure 6: Pluginid 1 code
Pluginid 2: Determines Adobe Flash versions
Pluginid 5: Determines Microsoft Office versions
Pluginid 6: Enumerates Adobe Reader versions
Pluginid 8: Lists Java versions
- Pluginid 21: Plants a keylogger inside the compromised website. It records all the keystrokes the person is typing in the website. The logs may include account password and other details. The recorded logs are sent to the corresponding command and control center. This information is later used to launch an attack against the particular user.
The keylogger feature of ScanBox helps the attacker to collect the data without loading a malware from the disc. Therefore any malware removal tool won't be able to find this.
Figure 7: Keylogger plugin code
The plugins required to load a page on different browsers are different. An attacker should be well aware of the version and type of browser used by the victim. According to the requirement, the plugins are loaded so that the desired result could be obtained. The following is the list of plugins loaded per browser on code.googlecaches.com.
Table 2: Plugins loaded per browser on code.googlecaches.com
Adobe PDF reader recon
Chrome security plugins recon
Internal IP recon
It has been found that Google Chrome is less vulnerable to such attacks than others on the list due to their security update between the interval of 15 days, which makes it a bit difficult to carry out the attack. Also the Aviator Web browser set up by WhiteHat Security provides impressive privacy and security settings by default.
Watering Hole Attack
This is a type of attack is mainly targeted on businesses and organizations. Waterholing attacks drive the ScanBox framework. The attacker keeps an eye on the websites the victim visits frequently and infects the websites with a malware. These type of attacks are hard to detect. Once the targeted victim enters the infected website, the malware finds a way into the victim's network or system. The dropped malware may be in the form of a Remote Access Trojan (RAT), which allows the attacker to access delicate and personal information. The main goal of the watering hole attack is not to serve maximum malware to the system, but to exploit the websites frequently visited by the targeted victim.
Figure 8: Watering hole working
- Regular Software Updating: Timely upgrade on the software reduces the vulnerability of such attacks.
- Vulnerability Shielding: It helps to scan suspicious traffic and any deviation from the normal protocols used.
- Network Traffic Detection: Even though hackers find different ways to access the information, the traffic generated by the final malware in communicating with the C&C server remains consistent. Identifying these paths helps to take control of the effect of such attacks.
- Threat Intelligence: A subscription of prominent threat intelligence providers will help you to track down all the command and control servers that it connects to. These C&C servers can be fed to proxy or perimeter devices to see any successful communication has been established or not.
- Least privilege: The concept of least privilege has to be implemented on all users who log on to the machine. Admin privilege has to be limited to certain users only.
- Next generation firewall: Use of a next generation firewall can detect such type of attacks easier, as they have an inbuilt sandbox.
- SIEM: By using a SIEM solution, security administrators will be able to monitor all the traffic by capturing the logs. It will give a holistic view of what is happening on your network with a few clicks on a single dashboard.
By the detailed analysis of ScanBox framework, we can say that it could be very dangerous if the user is not cautious. Thorough monitoring and analysis of computer and network should keep such attacks bolted to an extent.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.