www.malwarebytes.com
Open in
urlscan Pro
192.0.66.233
Public Scan
URL:
https://www.malwarebytes.com/blog/news/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit
Submission: On December 01 via api from RU — Scanned from CA
Submission: On December 01 via api from RU — Scanned from CA
Form analysis 4 forms found in the DOM
GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/blog/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/blog/">
<div class="labs-sub-nav__searchbar-wrap">
<input class="labs-sub-nav__search-input" type="text" name="s" placeholder="Search Labs">
<button class="labs-sub-nav__search-button" id="cta-labs-rightrail-search-submit-en" aria-label="Search in Malwarebytes">
<svg xmlns="http://www.w3.org/2000/svg" width="35px" height="35px" viewBox="0 0 24 24" fill="none">
<g clip-path="url(#clip0_15_152)">
<rect width="24" height="24" fill="none"></rect>
<circle cx="10.5" cy="10.5" r="6.5" stroke="#0d3ecc" stroke-linejoin="round"></circle>
<path d="M19.6464 20.3536C19.8417 20.5488 20.1583 20.5488 20.3536 20.3536C20.5488 20.1583 20.5488 19.8417 20.3536 19.6464L19.6464 20.3536ZM20.3536 19.6464L15.3536 14.6464L14.6464 15.3536L19.6464 20.3536L20.3536 19.6464Z" fill="#0d3ecc">
</path>
</g>
<defs>
<clipPath id="clip0_15_152">
<rect width="24" height="24" fill="#0d3ecc"></rect>
</clipPath>
</defs>
</svg>
</button>
</div>
</form>https://www.malwarebytes.com/newsletter/
<form action="https://www.malwarebytes.com/newsletter/" class="newsletter-form">
<div class="newsletter-form__inline">
<label>Email Address</label>
<input type="email" name="email" id="cta-footer-newsletter-input-email-en" placeholder="Email Address" required="" class="newsletter-form__email">
<input type="hidden" class="newsletter-form__pageurl" value="https://www.malwarebytes.com/blog/news/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit">
<input name="source" type="hidden" value="">
<input type="submit" value="Sign Up" class="newsletter-form__btn" id="cta-footer-newsletter-subscribe-email-en">
</div>
<div class="newsletter-form__validate hidden">
<span></span>
</div>
</form>Text Content
Skip to content
Search
Search Malwarebytes.com
Search for:
* Sign In
* Personal
< Products
Computer Protection
* Premium Security >
* Free Antivirus >
* Free Virus Scan >
Mobile Protection
* iOS Security >
* Android Security >
Identity Protection
* Identity Theft Protection >
* Digital Footprint Scanner >
* Personal Data Remover >
Privacy Protection
* VPN >
* AdwCleaner >
* Browser Guard >
Have a current computer infection?
Clean your device now
Try our antivirus with a free, full-featured 14-day trial
Download now
Find the right cyberprotection for you
Compare plans and pricing
* Business
< Business
Teams >
Simple to manage protection for 20 or fewer devices
ThreatDown >
Award-winning endpoint security for small and medium businesses
* Pricing
< Pricing
Personal pricing
Protect your personal devices and data
Small office/home office pricing
Protect your team’s devices and data
Business pricing (5+ employees)
Step up your corporate endpoint security. Save up to 45%
* Partners
< Partners
Malwarebytes
* Affiliate partner >
* Computer repair >
ThreatDown: Malwarebytes for Business
* Resellers >
* Managed Service Providers (MSP/ISS) >
* Resources
< Resources
* Security terms glossary >
* Threat Center >
* Cybersecurity News >
* About Malwarebytes >
* Press >
* Careers >
Cybersecurity Resource Center
* Antivirus >
* Malware >
* Ransomware >
* Phishing >
* See all articles >
* Support
< Support
Malwarebytes Personal Support
Malwarebytes and Teams Customers
ThreatDown Business Support
Nebula and Oneview Customers
Community Forums
Free Download
* Sign In
Search Search
Search Malwarebytes.com
Search for:
SUBSCRIBE rss
Exploits and vulnerabilities | News | Threats
‘HIDDEN BEE’ MINER DELIVERED VIA IMPROVED DRIVE-BY DOWNLOAD TOOLKIT
Posted: July 26, 2018 by Malwarebytes Labs
This blog post was authored by @hasherezade and Jérôme Segura.
We recently detected a drive-by download attack trying to exploit CVE-2018-4878,
a vulnerability in Flash Player, in a sequence that was not matching any of the
exploit kit patterns that we currently track. Upon investigation, we discovered
something that was new to us, but is part of an existing exploitation framework
referenced in late 2017 by Chinese security firm Qihoo360. At the time, the
payload appeared to be a Trojan pushing adware. (Note: On July 26, our
colleagues from TrendMicro published a blog post calling it the Underminer
exploit kit).
Since it was last documented, there have been changes to the exploits being
used, although the distribution method is similar. One interesting aspect that
we don’t see much of these days is the use of encryption to package exploits
on-the-fly, which requires a key from the backend server to decrypt and execute
them.
The payload served in this campaign is also out of the ordinary because it is
not a standard PE file. Instead, it is a multiple-stage custom executable
format, acting also as a downloader to retrieve LUA scripts used by the threat
actors behind the Hidden Bee miner botnet. This was perhaps the first case of a
bootkit being used to enslave machines mining cryptocurrencies.
CAMPAIGN OVERVIEW
The attackers are leveraging malvertising via adult sites to redirect their
victims to the exploit kit landing page. We believe this campaign is primarily
targeting Asian countries based on the ads that are served and our own telemetry
data. A server purporting to be an online dating service contains a malicious
iframe responsible for the exploitation and infection phases.
TRAFFIC PLAY-BY-PLAY
IE EXPLOIT
With a few exceptions, exploit kits typically obfuscate their landing page and
exploits. But here the threat actors go beyond by using encryption and requiring
a key exchange with the backend server in order to decrypt and execute the
exploit. In the past,
The execution of the malicious code starts from a webpage with an embedded
encrypted block. This block is Base64 encoded and encrypted with one of two
algorithms: RC4 or Rabbit.
After being decrypted, the block is executed. You can find the decoded version
of the Java Script that is being run here. As you can see in the script, it
generates a random session key, then encrypts it with the attacker’s public RSA
key:
The encrypted key is being passed onto the next function and converted into JSON
format to perform a POST request to the hardcoded URL:
This is what we can see if we look at the traffic between the client and the
server (the client sends the encrypted “key” and the server responds with the
“value”):
Server-side
* With the attackers’ private RSA key, the server decrypts the passed session
key.
* It uses it to encrypt the exploit content with a chosen symmetric algorithm
(Rabbit or RC4).
* It returns the encrypted content back to the client.
Thanks to the fact that the client still has an unencrypted version of the key
in memory, it is able to decrypt and execute the exploit. However, researchers
who just have the traffic captured cannot retrieve the original session key, and
replaying the exploit is impossible. Thankfully, we managed to capture the
exploit during dynamic analysis.
We believe that the decrypted exploit is CVE-2018-8174, as one of our test
machines patched against CVE-2016-0189 got exploited successfully.
FLASH EXPLOIT
This newer Flash exploit (CVE-2018-4878) was not part of the exploit toolkit at
the time Qihoo documented it, and seems to be a more recent addition to boost
its capabilities. The shellcode embedded in the exploit is a downloader for the
next stage.
Upon successful exploitation, it will retrieve its payload at the following URL:
This file, given the extension .wasm, pretends to be a Web Assembler module. But
in fact, it is something entirely different, appearing to be a custom executable
format, or a modified, header-less PE file.
It starts from the names of the DLLs that are going to be needed during the
execution:
As you can see, it loads Cabinet.dll that is used for unpacking cabinet files.
In later sections, we saw the APIs and strings that are used for the
communication over HTTP protocol. We also found references to “dllhost.exe” and
“bin/i386/core.sdb”.
It is easy to guess that this module will be downloading something and running
via dllhost.exe.
Another interesting string is a Base64-encoded content:
The decoded content points to more URLs:
http://103.35.72.223/git/wiki.asp?id=530475f52527a9ae1813d529653e9501 http://103.35.72.223/git/glfw.wasm http://103.35.72.223/rt/lsv3i06rrmcu491c3tv82uf228.wasm
Looking at the traffic captured by Fiddler, we found that, indeed, those URLs
are being queried:
The requests are coming from dllhost.exe, so that means the above executable was
injected there.
The file glfw.wasm has nothing in common with Web Assembly. It is, in fact, a
Cabinet file, containing packed content under the internal path:
bin/i386/core.sdb. Looking inside, we found the same custom executable format,
starting from DLL names:
Then, HTTP traffic stops. This was another interesting aspect of this threa,t
because the threat actors are perhaps trying to hide the traffic by pretending
to use the SLTP protocol to retrieve the actual payload, which can be seen in
the strings extracted from the Cabinet file inside of core.sdb:
INSTALL_SOURCE &sid=%u INSTALL_SID INSTALL_CID sltp://setup.gohub[.]online:1108/setup.bin?id=128 ntdll.dll ZwQueryInformationProcess VolumeNumber SCSIDISK os=%d&ar=%d kernel32.dll IsWow64Process RtlGetNtVersionNumbers %02x &sz= sltp
That hostname resolves to 67.198.208[.]110:
Pinging setup.gohub.online [67.198.208.110] with 32 bytes of data: Reply from 67.198.208.110: bytes=32 time=76ms TTL=51
Encrypted TCP network traffic from our sandboxed machine shows how the binary
payload is retrieved:
This whole exploitation and payload retrieval process is rather complex,
especially in light of the intended purpose behind this drive-by campaign.
Infected hosts are instructed to mine for cryptocurrencies:
What is unique about this miner is that it achieves persistence by using a
bootkit, as described here. Infected hosts will have their Master Boot Record
altered to start the miner every time the operating system boots.
A SOPHISTICATED ATTACK FOR A SIMPLE PAYLOAD
This attack is interesting on many levels for its use of different technologies
both in the exploit delivery part as well as how the payload is packaged.
According to our telemetry, we believe it is also focused on a select few Asian
countries, which makes sense when taking its payload into consideration.
It also shows that threat actors haven’t completely given up on exploit kits,
despite a noted downward trend over the last couple of years.
PROTECTION
Malwarebytes detects both the IE and Flash exploits, resulting in the infection
chain being stopped early on.
INDICATORS OF COMPROMISE
Injected dating site
144.202.87[.]106
Exploit toolkit
103.35.72[.]223
52he3kf2g2rr6l5s1as2u0198k.wasm
087FD1F1932CDC1949B6BBBD56C7689636DD47043C2F0B6002C9AFB979D0C1DD
glfw.wasm
CCD77AC6FE0C49B4F71552274764CCDDCBA9994DF33CC1240174BCAB11B52313
Payload URL and IP
setup.gohub[.]online:1108/setup.bin?id=128 67.198.208[.]110
Miner Proxy
133.130.101[.]254
SHARE THIS ARTICLE
RELATED ARTICLES
Scams
PRINTER PROBLEMS? BEWARE THE BOGUS HELP
November 29, 2024 - Printer issues are very common, but searching Google for
help may get you into more trouble than you'd expect.
CONTINUE READING 0 Comments
News | Privacy
DATA BROKER EXPOSES 600,000 SENSITIVE FILES INCLUDING BACKGROUND CHECKS
November 28, 2024 - A researcher has discovered a data broker had stored 644,869
PDF files in a publicly accessible cloud storage container.
CONTINUE READING 0 Comments
News | Privacy
MEDICAL TESTING COMPANY LIFELABS FAILED TO PROTECT CUSTOMER DATA, REPORT FINDS
November 27, 2024 - LifeLabs managed to hold up a report about a ransomware
incident in court for four years. It's now been published.
CONTINUE READING 0 Comments
News | Privacy
EXPLAINED: THE MICROSOFT CONNECTED EXPERIENCES CONTROVERSY
November 26, 2024 - Microsoft connected experiences have been the subject of
heated online discussions. So what are they, and do they train AI with my data?
CONTINUE READING 0 Comments
News | Scams
SPOTIFY, AUDIBLE, AND AMAZON USED TO PUSH DODGY FOREX TRADING SITES AND MORE
November 25, 2024 - Cybercriminals are spamming content platforms like Spotify
and Amazon with cracks, keygens, and forex trading platforms. We explain why.
CONTINUE READING 0 Comments
ABOUT THE AUTHOR
Malwarebytes Labs
Contributors
Threat Center
Podcast
Glossary
Scams
Cyberprotection for every one.
COMPUTER SECURITY
* Rootkit Scanner
* Trojan Scanner
* Free Antivirus
* Free Virus Scan
* Premium protection
MOBILE SECURITY
* Antivirus for Android
* iOS Security and Spam Blocker
PRIVACY PROTECTION
* Privacy VPN (Virtual Private Network)
* Digital Footprint Scan
* Dark Web Monitoring
* Adware Removal
* Ad Blocker
IDENTITY PROTECTION
* Identity Monitoring & Alerts
* Credit Monitoring & Reporting
* Identity Recovery & Resolution
* ID Theft Insurance
* Personal Data Remover
LEARN ABOUT CYBERSECURITY
* Blog
* Social Engineering
* Phishing
* Ransomware
* Malware
* Antivirus
* What is a VPN?
* Doxxing
PARTNER WITH MALWAREBYTES
* Computer Repair
* Affiliates
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
3979 Freedom Circle
12th Floor
Santa Clara, CA 95054
ABOUT MALWAREBYTES
* Careers
* News and Press
* Vulnerability Disclosure
* False Positive Report
* Forums
GET HELP
* Help Center
* Sign in to MyAccount
* Business Endpoint Security Solutions
* Managed Service Provider (MSP) Program
* Twitter
* Facebook
* LinkedIn
* Youtube
* Instagram
CYBERSECURITY INFO YOU CAN’T LIVE WITHOUT
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Email Address
* Legal
* Privacy
* Terms of Service
* Accessibility
* Imprint
© 2024 All Rights Reserved
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
OK
MANAGE CONSENT PREFERENCES
ALL COOKIES
Always Active
* STRICTLY NECESSARY
Always Active
These cookies are necessary for the website to function and cannot be
switched off in our systems. They are usually only set in response to actions
made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your
browser to block or alert you about these cookies, but some parts of the site
will not then work. These cookies do not store any personally identifiable
information.
* PERFORMANCE AND FUNCTIONALITY
Always Active
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies
then some or all of these services may not function properly.
* ANALYTICS
Always Active
These cookies allow us to count visits and traffic sources so we can measure
and improve the performance of our site. They help us to know which pages are
the most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If
you do not allow these cookies we will not know when you have visited our
site, and will not be able to monitor its performance.
* ADVERTISING
Always Active
These cookies may be set through our site by our advertising partners. They
may be used by those companies to build a profile of your interests and show
you relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
OK