A deeper look into ScanBox

24 February 2015


 View Christopher Doman’s profile on LinkedIn

 View Tom Lancaster’s profile on LinkedIn

Please e-mail us at [email protected] for a version of this report with additional indicators that you are welcome to distribute so long as it is not on public channels (TLP-GREEN).

We have observed actors amending the ScanBox framework to evade existing public signatures, detailed below.


Security researchers have often made the mistake of assuming that when a specific tool was observed being used in espionage attacks, it was representative of activity of a single actor. More frequently, however, many are now identifying that distinct groups of attackers are sharing their toolsets, just as in the cybercrime world.

One such toolset, the ScanBox framework, is now shared between a number of groups who conduct espionage attacks. Evidence suggests that these groups include those behind the recent Forbes and Anthem attacks. This short paper outlines our current perspectives on the previously discussed espionage groups currently using the framework and a hint that a 5th player is getting in on the game.

ScanBox performs keylogging of users when they visit a compromised website, without requiring malware to be deployed, and can collect a great deal of information which can be used to tailor future attacks.

In October we published some details of the ScanBox tool set. Since then we have encountered 24 additional sites compromised with the framework. Over this time we have observed changes to the code and novel techniques for executing.

We have also received a number of tip offs from other researchers, as well as queries from victims who were directly targeted by those using the framework. We would like to extend our thanks to these individuals for their contributions towards this research. 

Who’s using it, and who’s being targeted?

The following diagram shows the links in tools and targets between the groups discussed in our previous blog, but newer information has since come to light which allows us to more accurately associate these groups with known threat actors:             

Diagram 1

Between these clusters, we’ve seen strategic web compromises designed to target users in the following countries:

Diagram 2

Variations on the framework

Since our last post there have been several alterations to the ScanBox code base, including new modules, changes to avoid signature based detection, as well as extra techniques to try to identify whether those being scanned are real machines or researchers.

Fears of proliferation

In some cases we have been able to watch developers update and test variants of the framework, and even come across server-side code being tested by budding hackers.

Our findings are detailed below.

Download the Report

You can download the report here:

Download CTO-TIB-20150223-01A