Malicious actors who breached a Pakistani government site and delivered the ScanBox Framework payload have been tracking users who visit the site to check the status of their passport applications, according to research from Trustwave.
Since attackers compromised the site, visitors to the subdomain (tracking.dgip.gov[.]pk) of the Pakistani government website's Directorate General of Immigration & Passport load the ScanBox Framework, a JavaScript reconnaissance tool linked to many advanced persistent threat (APT) groups that not only collects critical information about visitors’ machines but also captures keystrokes, SpiderLabs researchers wrote in today's blog post.
Historically, ScanBox Framework has been popular with more serious APTs, and this instance could signal the beginning of a potentially more elaborate attack, according to researchers.
“In this version that we observed, Scanbox also tried to detect whether the visitor has any of a list of 77 endpoint products installed, most of these are security products, with a few decompression and virtualization tools,” researchers wrote.
Researchers detected ScanBox on the compromised site in early March 2019 and noted that in a single day the tool was able to collect information from at least 70 unique site visitors. In roughly a third of those cases, attackers were able to record credentials.
“We contacted the Pakistani government site regarding this infection, but as of the time of publishing this blog post have received no response and the site remains compromised. As mentioned above, the Scanbox server currently appears inactive, but the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will,” researchers wrote.