This report outlines recent Scanbox campaigns targeting a Pakistani government department and the Central Tibetan Administration in early March 2019. Insikt Group researchers utilized data from the Recorded FutureⓇ Platform, Shodan, Farsight Security DNS, third-party network metadata, and common OSINT techniques.

This report will be of most interest to network defenders seeking to understand the threat posed by cyberespionage actors leveraging strategic web compromises to conduct network reconnaissance, in advance of a more concerted effort to gain access to their network.

Executive Summary

In early March 2019, Recorded Future’s Insikt Group identified two separate Scanbox campaigns using strategic web compromises to target visitors to the website of Pakistan’s Directorate General of Immigration and Passports (DGIP) and a spoof of the official Central Tibetan Administration (CTA) website. It is likely that in both cases, the attackers intended to profile the devices of website visitors in order to conduct follow-on intrusions.

Insikt Group highlights this activity to enable the protection of targeted communities and to raise awareness of the risks posed by in-memory reconnaissance frameworks, such as Scanbox, used widely by Chinese state-sponsored threat actors, which employ features that enable keylogging and the deployment of additional malware on unsuspecting website visitors.

Key Judgments

• Analysis of the Tibetan Scanbox deployment highlights several associated domains and IPs revealing a wider campaign of targeting against Tibetan interests.
• Scanbox has been used previously in the targeting of persecuted minority groups, such as the Uighurs and Tibetans in China.

Background

Remarqué pour la première fois début 2014, Scanbox a été utilisé dans plusieurs intrusions très médiatisées, notamment la violation d'Anthem et les attaques de type « watering hole » contre Forbes. Il a été largement adopté par des acteurs malveillants basés en Chine, notamment Leviathan (APT40, Temp.Periscope), LuckyMouse (TG-3390, Emissary Panda, Bronze Union), APT10 (menuPass, Stone Panda) et APT3 (Pirpi, Gothic Panda).
Scanbox est un cadre de reconnaissance qui permet aux attaquants de suivre les visiteurs de sites Web compromis, d'enregistrer leurs frappes clavier et de collecter des données pouvant être utilisées pour mener d'autres attaques. Il a également été signalé qu'il avait été modifié afin de diffuser des logiciels malveillants secondaires sur les hôtes ciblés. Écrit en Javascript et PHP, le déploiement de Scanbox élimine la nécessité de télécharger un logiciel malveillant sur l'appareil hôte.

Summary of Scanbox use since 2014. (Source: Recorded Future)

Threat Analysis

Pakistan DGIP Scanbox Instance

Le 4 mars 2019, Insikt Group a identifié que le système de suivi des demandes de passeport en ligne sur le site web de la DGIP du Pakistan (tracking.dgip.gov[.]pk) a été compromise par des attaquants qui ont déployé le code Scanbox sur la page. Les visiteurs du site Web ont été redirigés à la suite d'une attaque stratégique par compromission du Web (SWC), également connue sous le nom de « watering holes », vers un serveur Scanbox contrôlé par un attaquant hébergé sur l'adresse IP néerlandaise 185.236.76[.]35. permettant aux attaquants de déployer la vaste gamme de fonctionnalités de Scanbox.
Vous trouverez plus d'informations sur le déploiement de Scanbox dans un article récemment publié sur le blog de Trustwave.

Scanbox-infected webportal for the tracking system on Pakistan’s DGIP.

Central Tibetan Administration Scanbox Instance

Insikt Group researchers were alerted to a new domain registration within the Recorded Future platform that triggered on a typosquatting rule for tibct[.]net. The domain was first registered on March 6, 2019.

Un événement lié à l'enregistrement d'un nouveau domaine a été détecté sur le portail Recorded Future et a déclenché une règle de risque de typosquatting.
Après analyse, le site présentait des similitudes de contenu avec le site Web légitime de la CTA, comme illustré ci-dessous :

Comparaison côte à côte du site Web frauduleux tibct[.]net (à gauche), et le site web officiel de la CTA tibet[.]net (à droite).
Par la suite, le 7 mars 2019, nous avons identifié que le tibct[.]net La page Web avait été modifiée par les attaquants afin d'y intégrer un code JavaScript malveillant qui redirigeait les visiteurs vers un serveur Scanbox hébergé sur oppo[.]ml. (répartition de la charge entre les adresses IP Cloudflare 104.18.36[.]192, 104.18.37[.]192 et 2606:4700:30::6812[:]24c0).

Malicious JavaScript embedded in spoof domain tibct[.]net.

Visitors likely intending to visit the official CTA website, tibet[.]net, were being duped into navigating to tibct[.]net, possibly via links in spearphish emails that were then subsequently redirected to the Scanbox C2 domain oppo[.]ml.

Pivoting from the spoofed domain, tibct[.]net, in WHOIS data revealed that the same email address was used by the attackers to register the domains tibct[.]org (registered March 5, 2019) and monlamlt[.]com (registered March 11, 2019), both of which appear to either host resources relating to Tibet or are typosquats of official CTA domains. Analysis of these domains in Farsight Security’s DNSDB reveal further closely associated infrastructure.

Outlook

These Scanbox intrusions, which were detected by Insikt Group within a few days of each other, show that the tool is still popular with attackers and is being used against organizations that are broadly aligned with the geopolitical interests of the Chinese state. Based on the identity of the two targeted organizations, as well as the well documented historic use of Scanbox by a variety of Chinese APTs, we assess with low confidence that these Scanbox deployments were likely conducted by Chinese state-sponsored threat actors.

Network Defense Recommendations

Recorded Future recommends organizations implement the following measures when defending against Scanbox targeting as documented in this research:

• Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking illicit connection attempts from — the external IP addresses and domains listed in Appendix A.
• Implement the provided Snort rules in the threat hunting package attached in Appendix B into your IDS and IPS appliance and investigate any alerts generated for activity resembling the TTPs outlined in this report.
• Conduct regular YARA scans across your enterprise for the Scanbox rules listed in the threat hunting package in Appendix B.
• Recorded Future customers can be alerted to new samples matching the YARA rule currently deployed by Insikt Group researchers within the Recorded Future platform.