Openhunting Threat Library

scanbox

scanbox
(Type: Reconnaissance, Info stealer, Keylogger, Downloader)

(Recorded Future) Scanbox is a reconnaissance framework that enables attackers to track visitors to compromised websites, performs keylogging, and harvests data that could be used to enable follow-on compromises. It has also been reported to have been modified in order to deliver secondary malware on targeted hosts. Written in Javascript and PHP, Scanbox deployment negates the need for malware to be downloaded onto the host device.

[News Analysis] Trends:

Total Trend: 7

Trend Per Year
1
2014
1
2015
2
2019
1
2020
1
2021
1
2022


Trend Per Month
1
Aug 2014
1
Feb 2015
1
Mar 2019
1
Sep 2019
1
2020
1
Feb 2021
1
Aug 2022



[News Analysis] News Mention Another Threat Name:

13 - scanbox2 - Meterpreter10 - APT402 - Sepulcher2 - Lucky Cat9 - AIRBREAK9 - BLACKCOFFEE9 - CHINACHOPPER9 - Cobalt Strike9 - Derusbi9 - homefry9 - murkytop9 - SeDll1 - POISON CARP


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Rising Tide: Chasing the Currents of Espionage in the South China Sea

2022-08-30 by Michael Raggi from Proofpoint

TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations

2021-02-25 by Michael Raggi from Proofpoint

BRONZE MOHAWK

2020 by SecureWorks from Secureworks

Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs

2019-09-02 by Andrew Case from Volexity

Attacker Tracking Users Seeking Pakistani Passport

2019-03-14 by Simon Kenin from Trustwave

ScanBox Framework

2015-02-27 by Ryan Mazerik from InfoSec Institute

Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks

2014-08-28 by Jaime Blasco from AT&T

Basic Information (Credit @etda.or.th)

Tool: scanbox

Names: scanbox

Description: (Recorded Future) Scanbox is a reconnaissance framework that enables attackers to track visitors to compromised websites, performs keylogging, and harvests data that could be used to enable follow-on compromises. It has also been reported to have been modified in order to deliver secondary malware on targeted hosts. Written in Javascript and PHP, Scanbox deployment negates the need for malware to be downloaded onto the host device.

Category: Malware

Type: Reconnaissance, Info stealer, Keylogger, Downloader

Information: https://www.recordedfuture.com/scanbox-framework-campaign/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:scanbox

Last-card-change: 2020-04-23

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact