Credits: The Register
The keylogger scooped up users’ login details for the compromised site, while Scanbox fingerprinted the user’s browser and collected details of programs installed on the machine used to sign in. It also hunted for 77 common anti-malware packages, beaming back details of its findings to the attackers’ command-and-control servers.
The user’s IP address, the referring site, operating system, user-agent string and installed browser plugins were all collected. The compromised site is at hxxp://gdip.gov.pk (do NOT visit this link!).
Trustwave’s Ziv Mador told The Register his firm discovered the breach after noticing unusual things cropping up in telemetry data. He said: “Its appearance on the website is very minimal. Apart from the link [to the Scanbox payload server] there is no other sign of compromise.”
Scanbox previously cropped up in infosec firm FireEye’s research, dating back to at least 2015. That company described it as an APT tool.
Highlighting how this malware campaign differs from the usual get-rich-quick scams set up by lower-level cybercrooks, Mador said: “We can say that the most common purpose [of malware criminals] is fundamentally driven by … things that generate revenue. Here it’s different: they didn’t try to install any malware.”
Describing the miscreants as “probably a sophisticated team”, Mador speculated that their intent was to “infect with further malware”, using the information slurped by Scanbox to precisely craft nasties that worked around known anti-malware suites installed on target devices.
“We contacted the Pakistani government site regarding this infection, but as of the time of publishing this blog post have received no response and the site remains compromised,” shrugged Trustwave. While the command-and-control server went dormant shortly after the threat research firm started poking around, there is no guarantee that the operators will not reactive it again.
The timing of the attack is of interest in the wider political context. Trustwave first spotted the infection on 2 March, shortly after tensions between India and Pakistan flared up into military action. While Trustwave did not have any information to indicate who was behind the infection, Mador told El Reg: “Given it’s a passport website, it’s quite likely [the infection] was politically motivated. About one-third to one-quarter [of those Trustwave observed using the site after spotting the compromise] are people living outside Pakistan. Maybe they’re travelling into Pakistan. Someone has an interest in monitoring this.”
Last year the Pakistani Air Force was targeted by a state-sponsored group in a campaign dubbed Operation Shaheen, while previous researchers noticed that cyber-sniping between the two countries tends to peak around national holidays and sports fixtures between the two.