Meanwhile, another script checks if the process “360tray” belonging to the 360 Total Security solution is running: If the discretionary access control list modifications with icacls fails, the error report with parameter “z” is sent. If the app is found and is unpatched, the error report with parameter “b” is sent.
Regardless if the embedded shellcode is the stager or the custom batch script, we noticed that the set of malicious operations that were being performed were largely the same:Ģ) Steal cookies and other important filesĥ) Provide information about the infection progress by communicating with the report-collecting server, among others The Cobalt Strike stager The embedded shellcode can either be a Cobalt Strike stager or a complex batch command capable of stealing credentials, and downloading and running other scripts and files. Water Labbu reuses the available code, obfuscates it with one or more layers of obfuscation ( sojson.v4, 5), before executing the custom shellcode. The Metasploit module for this vulnerability is publicly available. The “tongji.js” script is a JavaScript containing CVE-2021-21220 exploit code, with a shellcode that is a Cobalt Strike stager.
#Free download 360 total security code#
These files are hosted inside Water Labbu’s code repository. The last stage involves the creation and loading of a new script called “tongji.js,” which in Chinese means 痛擊 (to deliver a punishing attack). When the weaponized HTML pages detect a vulnerable target, it will proceed with loading additional stages of the attack. It’s likely that these are the lures Water Labbu used to communicate with the targeted cryptocurrency scam websites. If the User-Agent does not match, it will either redirect victims to the official MeiQia website or create a new iframe to load screenshots from banking or cryptocurrency transactions. It also detects the strings “0.0.8 Chrome/83,” “s/0.0.7,” or “s/0.0.6,” to identify if it is running inside a vulnerable version of Chromium or MeiQia application. The script detects strings such as “electron” and “圆4” to discover Electron-based applications and 圆4 architecture. The weaponized HTML pages contain JavaScript that uses the User-Agent to identify whether the environment of the victim is vulnerable.
The latest version of MeiQia is not vulnerable because it runs on the newer version of Chromium core and also opens the external links, not inside the ElectronJS app, but via the default system web browser. Review of the code shows that old versions of MeiQia open external links inside their ElectronJS applications and render the web page without sandboxing. The initial scammers used an old version of MeiQia, which might be vulnerable to exploits. We found weaponized HTML pages created by Water Labbu that leverages the same Chromium vulnerability to attack the MeiQia application. In this scenario, it leveraged cross-site scripting (XSS) techniques to force the exploit to be rendered in a window without sandboxing. A recent research paper on Electron security demonstrated a successful exploitation of an Electron-based application using CVE-2021-21220. The infection is initiated when) the initial scammer (in essence, the victim) opens a weaponized webpage (likely sent to them via livechat).
0 kommentar(er)
