7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
! [](/Article/UploadPic/2018-8/2018871743799. jpg? www. myhack58. com)
Write in front of words
Recently we found a to attempt to exploit CVE-2018-4878 Flash Player vulnerability, vulnerability to attack, its sequence and we currently find any loopholes to use the tool are not the same. After investigation, we found that this is a Chinese security company qihoo 360 in by the end of 2017 the reference to the existing developed part of the framework. But at the time the payload seems to be a promotion of the adware Trojan. And this time, use of the payload it is not a standard PE file. On the contrary, it is more like a multi-stage executable format, and it also acts as a download loader, is used to retrieve hidden Bee miner botnet using the LUA script. This may be the first used mining Crypto-currencies of the bootkit case.
Advertising overview
The attacker is using the adult site of the temptation of advertising will be the victim attracted to the phishing page. We believe that this series of ads is mainly for Asian countries, the region of the user, according to the ads and our known data. This claim is can be online Dating services of the server that contains a malicious iframe, which is mainly responsible for the development and infected users.
! [](/Article/UploadPic/2018-8/2018871743829. png? www. myhack58. com)
! [](/Article/UploadPic/2018-8/2018871743182. png? www. myhack58. com)
IE exploit
Here, the malicious code from having embedded encryption block of the web page begins execution. And the use of Base64 encoding and then RC4 or Rabbit two algorithms, one for encryption:
! [](/Article/UploadPic/2018-8/2018871743257. png? www. myhack58. com)
After decryption, the block will be executed. Here you can find a running Java Script the decoded version. We may be in the script to see, it will generate a random session key, then use the attacker’s public RSA key to encrypt to:
! [](/Article/UploadPic/2018-8/2018871743598. png? www. myhack58. com)
The encrypted key will be passed to the next function and converted to JSON format, to a hard-coded URL to perform the POST request:
! [](/Article/UploadPic/2018-8/2018871743101. png? www. myhack58. com)
If we view the client and the server traffic between the client sends the encrypted“key”, the server response“value”, we more clearly find this:
! [](/Article/UploadPic/2018-8/2018871743454. png? www. myhack58. com)
Server-side
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%