Security News > 2022 > August > Watering Hole Attacks Push ScanBox Keylogger

In lieu of malware, attackers can use ScanBox in conjunction with watering hole attacks.

Adversaries load the malicious JavaScript onto a compromised website where the ScanBox acts as a keylogger snagging all of a user's typed activity on the infected watering hole website.

"Upon clicking the link and redirecting to the site, visitors were served the ScanBox framework," researchers wrote.

ScanBox keylogger data culled from waterholes is part of a multi-stage attack, giving attackers insight into the potential targets that will help them launch future attacks against them.

ScanBox additionally runs a check for browser extensions, plugins and components such WebRTC. "The module implements WebRTC, a free and open-source technology supported on all major browsers, which allows web browsers and mobile applications to perform real-time communication over application programming interfaces. This allows ScanBox to connect to a set of pre-configured targets," researchers explain.

"STUN is supported by the WebRTC protocol. Through a third-party STUN server located on the Internet, it allows hosts to discover the presence of a NAT, and to discover the mapped IP address and port number that the NAT has allocated for the application's User Datagram Protocol flows to remote hosts. ScanBox implements NAT traversal using STUN servers as part of Interactive Connectivity Establishment, a peer-to-peer communication method used for clients to communicate as directly as possible, avoiding having to communicate through NATs, firewalls, or other solutions," according to researchers.

News URL

https://threatpost.com/watering-hole-attacks-push-scanbox-keylogger/180490/