Attackers compromised Pakistani government website to deliver Scanbox Framework payload

• Researchers detected a compromised Pakistani government website that delivers Scanbox Framework payload whenever anyone visits the site.
• Trustwave notified the Pakistani government website about the infection, however, the site still remains compromised.

What is the issue - Researchers from Trustwave detected a compromised Pakistani government website that delivers Scanbox Framework payload whenever anyone visits the site.

Worth noting - The compromised Pakistani government website (tracking.dgip.gov[.]pk) is a subdomain of the Directorate General of Immigration & Passport of the Pakistani government that allows passport applicants to track the status of their application.

The big picture

• Once the Scanbox framework is on the visitor’s system, it collects system information and keystroke logs.
• Scanbox also attempts to detect whether the visitor has installed any of the 77 endpoint products such as security tools, decompression, and virtualization tools.

“Scanbox Framework is a reconnaissance framework that was first mentioned back in 2014 and has been linked over the years to several different APT groups. Its intense activity during the 2014-2015 years has been well-covered in a paper written by PwC. It was then seen again in 2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse,” Trustwave researchers said in a blog.

Why it matters - due to the lack of detection for the compromised website by security products

• Most of the Antivirus and security products failed to detect this compromised domain, however, Trustwave detected the compromised site on March 2, 2019.
• On that day alone, Scanbox managed to gather information including credentials on at least 70 unique visitors.
• The impacted visitors were primarily from Pakistan (80%), while other visitors were located in Saudi Arabia, the United States, China, Qatar, Germany, UK, South Korea, Netherlands, and India.
• Trustwave notified the Pakistani government website about the infection, however, the site still remains compromised.

The bottom line - The Scanbox server currently appears inactive, however, the infection indicated that it has some level of access to the compromised website.

“The Scanbox server currently appears inactive, but the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will,” researchers said.