Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Attacker Tracking Users Seeking Pakistani Passport

A few days ago we encountered a breach on a Pakistani government site which was compromised to deliver a dangerous payload- the Scanbox Framework. This compromise is exactly the kind of attack we were concerned about when discussing the danger in a previous compromise that we uncovered just a few weeks ago against another government site, at that time the Bangladesh Embassy in Cairo.

The compromised Pakistani domain,[.]pk, is a subdomain of the Directorate General of Immigration & Passport of the Pakistani government that allows passport applicants to track the status of their application. Visitors to the site load the Scanbox javascript code from a remote location. This code collects information about the visitor’s machine as well as log any keystrokes the visitor makes while using the site, for example when logging into the tracking system.

In this version that we observed, Scanbox also tried to detect whether the visitor has any of a list of 77 endpoint products installed, most of these are security products, with a few decompression and virtualization tools.

Scanbox Framework is a reconnaissance framework that was first mentioned back in 2014 and has been linked over the years to several different APT groups. Its intense activity during the 2014-2015 years has been well-covered in a paper written by PwC. It was then seen again in 2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse.

Scanbox was used in a variety of watering hole attacks, meaning the attacker infected a site with Scanbox in order to gather information about visitors to the site (gathering all the information you’d expect like IP, referrer, OS, User Agent, plugins, etc.) to, later on, tailor sophisticated targeted attacks for interesting visitors. With every appearance, it seems to have evolved in terms of the kinds of information it gathers.

Despite the severity of this infection, scans show an alarming lack of detection for this compromised site by security products:


Figure 1: VirusTotal scan results for the compromised URL


Figure 2: zscaler scan results for the compromised URL


Figure 3: Symantec scan results for the compromised URL

Our earliest detection of Scanbox on this Pakistani government site was on March 2nd, 2019 and though we can’t say for sure how long before that Scanbox has been gathering information, we know with certainty that on that day alone Scanbox managed to collect information on at least 70 unique site visitors, about a third of them with recorded credentials.


Figure 4: Geo-location distribution of known victims

Shortly after we began our deeper investigation the Scanbox server mysteriously stopped responding, but a VT scan from the time when it was still active shows low detection rates for this server as well:


Figure 5: VirusTotal scan results for the Scanbox server

We contacted the Pakistani government site regarding this infection, but as of the time of publishing this blog post have received no response and the site remains compromised. As mentioned above, the Scanbox server currently appears inactive, but the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will.

These recent cases raise concerns regarding the security of government sites, especially ones where services provided online may involve access to sensitive information. From the perspective of an APT, a tool like Scanbox would only be the beginning of a potentially more elaborate attack.

Trustwave SWG customers are and have been, protected against the Scanbox Framework since 2014 when it first appeared.