Watering hole attacks are usually associated with cyber espionage efforts and are booby-trapped with exploit kits that deliver malware onto the visitors’ vulnerable computers. But exploit kits are not the only danger lurking on those sites.
Dubbed ScanBox by the attackers, its function is to collect information about the visitors’ system without infecting it. This information includes things like the referer (to find out the last page the user was on before visiting the site), the OS and language settings, screen width and height, web browser used, geographical location, website content accessed, security software used, Java, Acrobat Reader, MS Office and Adobe Flash versions used, and so on.
Scanbox can also log the keystrokes the victim is typing inside the compromised website, which could include passwords and other sensitive information. And all this information is then sent to a remote C&C server controlled by the attackers. ScanBox’ goal is obviously used to collect information that will later be misused to compromise specific targets.
More recent research efforts by two analysts with PwC have revealed that the ScanBox framework has been deployed on several websites belonging to disparate companies and organizations in different countries: a large Japanese supplier of industrial equipment, a US-based think-tank, a hospitality provider in South Korea, and an Uyghur organization in China.
“This variation was our first clue that more than one actor may be using the framework,” the researchers say. Secondly, all four implementations share the same codebase, but there are some differences in their implementations. Thirdly, an analysis of the associated attacker infrastructure shows little overlap.
While its true that there are some cyber espionage teams out there that likely target a wildly diverse array of targets, the researchers point out that “very few attackers have the patience to maintain completely distinct infrastructure with multiple registrars, name servers and hosting providers at the same time,” which leads them to believe that several groups of attackers share some of the resources (i.e. malware, builders, etc.)
It’s also possible that one group used the framework first, and others took the code and modified it for their own purposes.