APT TA423 conducted watering hole attacks to deploy ScanBox, a JavaScript-based reconnaissance tool. Researchers identified the campaign targeting victim websites to inject malicious code that harvests browser data and system information from visitors.
ScanBox functions as a keylogger and fingerprinting utility. The tool collects credentials, clipboard contents, and browser history from infected machines. Attackers use this reconnaissance data to profile targets before launching follow-on operations.
Watering hole attacks work by compromising legitimate websites frequented by a specific audience. When users visit the poisoned site, their browsers execute the malicious JavaScript without user interaction. This vector requires no phishing or social engineering from victims.
TA423 targets organizations in Asia-Pacific regions, focusing on government and technology sectors. The group previously deployed similar reconnaissance frameworks in operations dating back to 2015.
Defenders should monitor outbound connections to command-and-control infrastructure associated with ScanBox deployments. Organizations should implement Content Security Policy headers to restrict JavaScript execution from untrusted sources. Web application firewalls can detect and block reconnaissance scripts before they reach client browsers. Network monitoring for suspicious POST requests containing encoded credential data identifies active infections.