Shulou(Shulou.com)05/31 Report--

Hidden Bee is how to use new loopholes to spread, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Words written in the front

Recently we discovered an attempt to exploit the CVE-2018-4878 (vulnerability in Flash Player) vulnerability in a sequence that is different from any exploit tools we have found so far. After investigation, we found that this is part of the existing development framework cited by Chinese security company Qihoo 360 at the end of 2017. But at that time, payload seemed to be a Trojan horse to promote advertising software. The payload used this time is not a standard PE file. Instead, it is more like a multi-stage executable format, and it also acts as a download loader to retrieve LUA scripts used by hidden Bee miner botnets. This may be the first bootkit case used to mine cryptocurrencies.

An overview of advertising

Attackers use seductive ads on adult websites to attract victims to phishing pages. We believe that this series of advertisements are mainly aimed at users in Asian countries and regions, based on the advertisements and the data we know. The server, which claims to be an online dating service, contains a malicious iframe, which is mainly responsible for developing and infecting users.

IE exploit

In this case, malicious code starts from a web page with an embedded encryption block. It is encoded with Base64, and then encrypted using one of the two algorithms RC4 or Rabbit:

After decryption, the block will be executed. You can find a decoded version of the running JavaScript here. We can see in the script that it generates a random session key and then encrypts it using the attacker's public RSA key:

The encrypted key is passed to the next function and converted to JSON format, and the POST request is performed on the hard-coded URL:

If we look at the traffic between the client and the server (the client sends an encrypted "key" and the server responds to "value"), we find this more obvious:

Server side

1. The attacker encrypts with a private RSA key, and the server passes the key of the decryption session.

two。 Choose a symmetric algorithm to encrypt the vulnerability payload (Rabbit or RC4).

3. Return the encrypted content to the client. Because the client still has an unencrypted version of the key in memory, it can decrypt and execute the vulnerability. However, the original session key cannot be retrieved from traffic alone, and it is not possible to reproduce the vulnerability. But fortunately, we succeeded in capturing the vulnerability in dynamic analysis. And we found that the vulnerability exploited by the attacker is CVE-2018-8174.

Flash vulnerability exploitation

This is a relatively new Flash vulnerability (CVE-2018-4878) that was not part of Qihoo 360's exploit kits when he published the document, possibly added later to enhance its performance. The shell code embedded in this vulnerability is only the next phase of the download program. After successful exploitation, it will retrieve its payload at the following URL:

This extension is .wasm file and is spoofed as a Web Assembler module. But in fact, it's a completely different thing.

As you can see, it loads the Cabinet.dll module used to extract the cabinet file. In later sections, we see the API and strings used to communicate over the HTTP protocol. We also found references to "dllhost.exe" and "bin/i386/core.sdb".

It is easy to guess that this module will be downloaded and run using dllhost.exe. The other string, Base64, is encoded as follows:

The decoded content shows more URLs:

Http://103.35.72.223/git/wiki.asp?id=530475f52527a9ae1813d529653e9501http://103.35.72.223/git/glfw.wasmhttp://103.35.72.223/rt/lsv3i06rrmcu491c3tv82uf228.wasm

Looking at the traffic captured by Fiddler, we find that its module is indeed querying these URL:

The request comes from dllhost.exe, which may mean that the above executable has been injected with malicious code. The file glfw.wasm has nothing in common with Web Assembly. In fact, it is a Cabinet file that contains the package under the internal path: bin/i386/core.sdb. Internally, we found the same custom executable format, such as the DLL name:

Then another problem is that participants may try to hide traffic by pretending to use the SLTP protocol to retrieve the actual payload, which can be found in the string core.sdb extracted from the Cabinet file inside the core:

INSTALL_SOURCE&sid=%uINSTALL_SIDINSTALL_CIDsltp://setup.gohub [.] online:1108/setup.bin?id=128ntdll.dllZwQueryInformationProcessVolumeNumberSCSIDISKos=%d&ar=%dkernel32.dllIsWow64ProcessRtlGetNtVersionNumbersx&sz=sltp

The hostname resolves to 67.198.208 [.] 110:

Pinging setup.gohub.online [67.198.208.110] with 32 bytes of data:Reply from 67.198.208.110: bytes=32 time=76ms TTL=51

Encrypted TCP network traffic from sandboxie's computer shows how to retrieve binary payload:

It can be seen that the entire payload development and retrieval process is quite complex, and if you consider that the purpose behind the activity is to mine cryptocurrencies, it is not difficult to think of:

This mining machine is unique in that it achieves persistence through the use of bootkit, as described in this article. The infected host will modify its master boot record to start the miner each time the operating system starts.

Complex attack of simple payload

This attack is interesting in many ways because it uses different technologies and different packaged payload technologies in the exploit delivery section. So we think it is concentrated in a few Asian countries, not only that, but it also shows that threat actors have not completely abandoned exploit kits, despite a clear downward trend over the past few years.

IOC

Contaminated dating sites

144.202.87 [.] 106

Exploit kits

103.35.72 [.] 223

52he3kf2g2rr6l5s1as2u0198k.wasm

087FD1F1932CDC1949B6BBBD56C7689636DD47043C2F0B6002C9AFB979D0C1DD

Glfw.wasm

CCD77AC6FE0C49B4F71552274764CCDDCBA9994DF33CC1240174BCAB11B52313

Payload URL and IP

Setup.gohub [.] online:1108/setup.bin?id=12867.198.208 [.] 110

Miner Proxy

133.130.101 [.] 254

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.