The Hidden Bee cryptominer is being delivered to users via an improved drive-by download toolkit which exploits the CVE-2018-4878 Flash Player vulnerability.
The Flash bug is a critical vulnerability that can potentially allow an attacker to take control of the affected system and exists in Adobe Flash Player version 28.0.0.137 and earlier.
The attack is part of an existing exploitation framework spotted by the Chinese security firm Qihoo360 in 2017 and was recently seen using a newer Flash exploit by Malwarebytes researchers, according to a July 26 blog post.
“This newer Flash exploit (CVE-2018-4878) was not part of the exploit toolkit at the time Qihoo documented it, and seems to be a more recent addition to boost its capabilities,” researchers said in the post. “The shellcode embedded in the exploit is a downloader for the next stage.”
The attacks are spread via malvertising on adult sites that redirect victims to the exploit kit page and based on the ads served and their own telemetry data, researchers believe the campaign is primarily targeting Asian countries.
Researchers noted the threat actors going above and beyond just the use of encryption to obfuscate their landing page and exploits by requiring a key exchange with the backend server in order to decrypt and execute the exploit.
Researchers noted one interesting aspect of the attack which is the use of encryption to package exploits on-the-fly, which requires a key from the backend server to decrypt and execute.
“With a few exceptions, exploit kits typically obfuscate their landing page and exploits,” researchers said in the post. “But here the threat actors go beyond by using encryption and requiring a key exchange with the backend server in order to decrypt and execute the exploit.”
Researchers noted that in the past, Angler, Nuclear and Astrum exploit kits abused the Diffie-Hellman key exchange protocol in similar ways to prevent analysts from replaying malicious traffic.
