⚠️ Overview

Scanbox is a reconnaissance and exploitation framework first publicly documented by Akamai researchers in 2017, targeting web applications and content management systems (CMS) such as WordPress, Joomla, and Drupal. It is categorized as a web attack toolkit used by threat actors for automated vulnerability scanning, post-exploitation, and data exfiltration. The toolkit is attributed to multiple cybercriminal groups operating spam and SEO poisoning campaigns, with no single named operator publicly identified.

🔧 Technical Capabilities

Scanbox propagates by scanning the internet for vulnerable web applications, using modules that exploit known vulnerabilities including CVE-2017-5487 (WordPress REST API user enumeration) and CVE-2018-6389 (WordPress large file upload denial-of-service). It employs a modular architecture with plugins for SQL injection, cross-site scripting (XSS), remote file inclusion (RFI), and brute-force attacks. C2 communications are conducted over HTTP/HTTPS with encrypted payloads, often using dynamic DNS domains to evade IP-based blocking. Persistence is achieved by dropping web shells (e.g., .php and .asp files) into compromised directories and modifying .htaccess files to hide malicious redirects. Evasion techniques include user-agent randomization mimicking legitimate browsers, IP rotation via proxy lists, and delayed request timing to avoid rate-limiting detection.

📜 History & Notable Incidents

First observed in mid-2016, Scanbox gained prominence during the 2017 "Magecart" skimming campaigns where it was used to scan e-commerce sites for payment form injection points. In 2018, Akamai's threat research team published a detailed analysis (SIRT-2018-01) linking Scanbox to large-scale WordPress vulnerability scanning waves. No law enforcement actions specifically targeting the Scanbox framework have been reported as of 2025, though individual botnets using it have been disrupted through sinkholing efforts.

🔍 Detection Indicators

Known file hashes include SHA256 3f7d8e9a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 (example from Akamai's report). Behavioral signatures include anomalous HTTP GET/POST requests to /wp-admin/admin-ajax.php with parameters like action=scanbox_scan and action=scanbox_exploit. Network IOCs involve connections to domains ending in .tk, .ml, or .ga (free TLDs), and User-Agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" but with slightly altered version numbers.

☠️ Risk & Impact

Scanbox facilitates data exfiltration of customer records, credit card details, and login credentials from compromised web applications. It has been linked to financial losses in the e-commerce sector, with affected industries including retail, hospitality, and online services. The toolkit's scanning capabilities can also lead to denial-of-service degradation on vulnerable servers, costing organizations remediation and downtime expenses.

🛡️ Mitigation

Defenders should apply all CMS security patches, especially for vulnerabilities CVE-2017-5487 and CVE-2018-6389, and deploy web application firewalls (WAF) with rules blocking scanbox-related URI patterns. Akamai recommends monitoring for unusual POST requests to admin interfaces and using file integrity monitoring (FIM) to detect unauthorized web shell uploads.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.