To see the Hidden Bee how to use a new vulnerability propagation-vulnerability warning-the black bar safety net

! [](/Article/UploadPic/2018-8/2018871743799. jpg? www. myhack58. com)
Write in front of words
Recently we found a to attempt to exploit CVE-2018-4878 Flash Player vulnerability, vulnerability to attack, its sequence and we currently find any loopholes to use the tool are not the same. After investigation, we found that this is a Chinese security company qihoo 360 in by the end of 2017 the reference to the existing developed part of the framework. But at the time the payload seems to be a promotion of the adware Trojan. And this time, use of the payload it is not a standard PE file. On the contrary, it is more like a multi-stage executable format, and it also acts as a download loader, is used to retrieve hidden Bee miner botnet using the LUA script. This may be the first used mining Crypto-currencies of the bootkit case.
Advertising overview
The attacker is using the adult site of the temptation of advertising will be the victim attracted to the phishing page. We believe that this series of ads is mainly for Asian countries, the region of the user, according to the ads and our known data. This claim is can be online Dating services of the server that contains a malicious iframe, which is mainly responsible for the development and infected users.
! [](/Article/UploadPic/2018-8/2018871743829. png? www. myhack58. com)
! [](/Article/UploadPic/2018-8/2018871743182. png? www. myhack58. com)
IE exploit
Here, the malicious code from having embedded encryption block of the web page begins execution. And the use of Base64 encoding and then RC4 or Rabbit two algorithms, one for encryption:
! [](/Article/UploadPic/2018-8/2018871743257. png? www. myhack58. com)
After decryption, the block will be executed. Here you can find a running Java Script the decoded version. We may be in the script to see, it will generate a random session key, then use the attacker’s public RSA key to encrypt to:
! [](/Article/UploadPic/2018-8/2018871743598. png? www. myhack58. com)
The encrypted key will be passed to the next function and converted to JSON format, to a hard-coded URL to perform the POST request:
! [](/Article/UploadPic/2018-8/2018871743101. png? www. myhack58. com)
If we view the client and the server traffic between the client sends the encrypted“key”, the server response“value”, we more clearly find this:
! [](/Article/UploadPic/2018-8/2018871743454. png? www. myhack58. com)
Server-side

1. The attacker of using a private RSA key encryption, the server passes the decryption of the session key.
2. Select a symmetric algorithm(Rabbit or RC4)encryption vulnerability payload in.
3. The encrypted content is returned to the client. Since the client in memory still has the key to the unencrypted version, so it can decrypt and execute the vulnerability. However, only from the communication flow can not retrieve the original session key, it is impossible to reproduce the vulnerability. But fortunately, we in the dynamic analysis in the successful capture of a vulnerability. And we found the attacker exploited a vulnerability is CVE-2018-8174 to.
   Flash exploit
   This is a relatively new Flash Vulnerability, CVE-2018-4878 use the program,in the odd Tiger 360 released document when it is not their exploit kits are part of, may be in order to enhance its performance later add. The vulnerability is in the embedded shell code is just the next stage of the download procedure. Successfully exploited, it will be in the following URL to retrieve the payload:
   ! [](/Article/UploadPic/2018-8/2018871744139. png? www. myhack58. com)
   This extension. wasm file forged into a Web Assembler module. But in fact, it is something completely different.
   As you can see, it loads for decompressing cabinet file Cabinet. dll module. In a later section, we saw used by the HTTP Protocol to communicate with API and string. We also found that the“dllhost.exe”and“bin/i386/core. sdb”references.
   ! [](/Article/UploadPic/2018-8/2018871744180. png? www. myhack58. com)
   We are very easy to guess this module will download and use the dllhost. exe to run. And another string the Base64-encoded content:
   ! [](/Article/UploadPic/2018-8/2018871744342. png? www. myhack58. com)
   Which after decoding of the content to show more of the URL:
   http://103.35.72.223/git/wiki.asp?id=530475f52527a9ae1813d529653e9501
   http://103.35.72.223/git/glfw.wasm
   http://103.35.72.223/rt/lsv3i06rrmcu491c3tv82uf228.wasm
   Look at the Fiddler capture of the traffic, we found that the module is indeed in the query these URL:
   ! [](/Article/UploadPic/2018-8/2018871744460. png? www. myhack58. com)
   请求来自dllhost.exe this may mean that the above executable files have been injected malicious code. File glfw. wasm with the Web Assembly between The have nothing in common. In fact, it is a Cabinet file that contains the internal path of the package content: bin/i386/core. sdb. Seen from inside, we find the same custom executable format, such as DLL names:
   ! [](/Article/UploadPic/2018-8/2018871744279. png? www. myhack58. com)

[1] [2] next