What is the issue - Researchers from Trustwave detected a compromised Pakistani government website that delivers Scanbox Framework payload whenever anyone visits the site.
Worth noting - The compromised Pakistani government website (tracking.dgip.gov[.]pk) is a subdomain of the Directorate General of Immigration & Passport of the Pakistani government that allows passport applicants to track the status of their application.
The big picture
“Scanbox Framework is a reconnaissance framework that was first mentioned back in 2014 and has been linked over the years to several different APT groups. Its intense activity during the 2014-2015 years has been well-covered in a paper written by PwC. It was then seen again in 2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse,” Trustwave researchers said in a blog.
Why it matters - due to the lack of detection for the compromised website by security products
The bottom line - The Scanbox server currently appears inactive, however, the infection indicated that it has some level of access to the compromised website.
“The Scanbox server currently appears inactive, but the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will,” researchers said.