{"id":12920,"date":"2018-07-26T14:10:05","date_gmt":"2018-07-26T22:10:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/07\/26\/news-6687\/"},"modified":"2018-07-26T14:10:05","modified_gmt":"2018-07-26T22:10:05","slug":"news-6687","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/07\/26\/news-6687\/","title":{"rendered":"‘Hidden Bee’ miner delivered via improved drive-by download toolkit"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Thu, 26 Jul 2018 21:00:22 +0000<\/strong><\/p>\n

This blog post was authored by\u00a0@hasherezade<\/a>\u00a0and\u00a0J\u00e9r\u00f4me Segura<\/a>.<\/em><\/p>\n

We recently detected a drive-by a download attempt trying to exploit CVE-2018-4878<\/a>, a vulnerability in Flash Player, in a sequence that was not matching any of the exploit kit patterns that we currently track. Upon investigation, we discovered something that was new to us, but is part of an existing exploitation framework<\/a> discovered in late 2017 by Qihoo360. At the time, the payload\u00a0 appeared to be a Trojan pushing adware. (Note: On July 26, our colleagues from\u00a0TrendMicro published a blog post<\/a> calling it the Underminer exploit kit<\/em>).<\/p>\n

Since it was last documented, there have been changes to the exploits being used, although the distribution method is similar. One interesting aspect that we don’t see much of these days is the use of encryption to package exploits on-the-fly, which requires a key from the backend server to decrypt and execute them.<\/p>\n

The payload served in this campaign is also out of the ordinary because it is not a standard PE file. Instead, it is a multiple-stage custom executable format, acting also as a downloader to retrieve LUA scripts used by the threat actors behind the\u00a0Hidden Bee<\/a>\u00a0miner botnet. This was perhaps the first case of a bootkit being used to enslave machines mining cryptocurrencies.<\/p>\n

Campaign overview<\/h3>\n

The attackers are leveraging malvertising via adult sites to redirect their victims to the exploit kit landing page. We believe this campaign is primarily targeting Asian countries based on the ads that are served and our own telemetry data. A server purporting to be an online dating service contains a malicious iframe responsible for the exploitation and infection phases.<\/p>\n

\"\"<\/p>\n

Traffic play-by-play<\/h3>\n

\"\"<\/a><\/p>\n

IE exploit<\/h4>\n

With a few exceptions, exploit kits typically obfuscate their landing page and exploits. But here the threat actors go beyond by using encryption and requiring a key exchange with the backend server in order to decrypt and execute the exploit. In the past, Angler<\/a>, Nuclear<\/a> and Astrum<\/a> exploit kits have abused the Diffie-Hellman<\/a> key exchange protocol in similar ways to prevents analysts from replaying malicious traffic.<\/p>\n

The execution of the malicious code starts from a webpage with an embedded encrypted block. This block is Base64 encoded and encrypted with one of two algorithms: RC4<\/a> or Rabbit<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

After being decrypted, the block is executed. You can find the decoded version of the Java Script that is being run here<\/a>. As you can see in the script, it generates a random session key, then encrypts it with the attacker’s public RSA key:<\/p>\n

\"\"<\/a><\/p>\n

The encrypted key is being passed onto the next function and converted into JSON format to perform a POST request to the hardcoded URL:<\/p>\n

\"\"<\/a><\/p>\n

This is what we can see if we look at the traffic between the client and the server (the client sends the encrypted “key” and the server responds with the “value”):<\/p>\n

\"\"<\/a><\/p>\n

Server-side<\/strong><\/p>\n