October 27, 2014
Greg Martin

Scanbox, the Re-usable JavaScript Waterhole Kit

<h3><strong>Scanbox</strong> the APT javacript exploitation framework originally reported by our friends at <a href="https://www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks">AlienVault</a> has recently been discovered targeting US think tanks, Industrial, Engineering and Aerospace companies and other random targets such as a korean hospitality site and specific groups within China with politic tensions.  </h3><p>Scanbox was designed to be a modular, re-usable javascript based exploit kit.  It allows lesser sophisticated attackers to first compromise a website using basic attacks such as SQL injection or Wordpress bugs and set up a waterhole attack to infect hundreds to thousand of victims that visit that website.  We are seeing a rise in the re-usable exploit frameworks developed by more sophisticated attacker allowing C level military hacking teams to come out of initial training and be highly effective with these toolkits.</p><h3><a href="https://ui.threatstream.com/registration">ThreatStream OPTIC</a> is currently tracking over 135 IOC's related to Scanbox waterhole attacks. </h3><p>Also the following Snort/Suricata  signatures from Emerging Threats Open Ruleset can help detect Scanbox activity on your network.</p><pre> <sub>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks"; flow:from_server,established; file_data; content:"scanbox.crypt._utf8_encode"; classtype:trojan-activity; sid:2019093; rev:2;) alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks Intial (POST)"; flow:to_server,established; content:"POST"; http_method; content:"projectid="; http_client_body; fast_pattern:only; content:"agent="; http_client_body; content:"platform="; http_client_body; content:"seed="; http_client_body; content:"screen="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019094; rev:2;) alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:2;) alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive"; flow:to_server,established; content:"GET"; http_method; content:".php?seed="; http_uri; fast_pattern:only; content:"&amp;alivetime="; http_uri; content:"&amp;r="; http_uri; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019096; rev:2;)</sub></pre>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.