![360 total security download for pc 360 total security download for pc](https://i1.wp.com/softwarespro.net/wp-content/uploads/2018/06/360-Total-Security-License-Key-with-Crack-Full-Free-Download.jpg)
Water Labbu reuses the available code, obfuscates it with one or more layers of obfuscation ( sojson.v4, 5), before executing the custom shellcode. The Metasploit module for this vulnerability is publicly available. The “tongji.js” script is a JavaScript containing CVE-2021-21220 exploit code, with a shellcode that is a Cobalt Strike stager.
#360 total security download for pc code#
These files are hosted inside Water Labbu’s code repository. The last stage involves the creation and loading of a new script called “tongji.js,” which in Chinese means 痛擊 (to deliver a punishing attack). When the weaponized HTML pages detect a vulnerable target, it will proceed with loading additional stages of the attack. It’s likely that these are the lures Water Labbu used to communicate with the targeted cryptocurrency scam websites. If the User-Agent does not match, it will either redirect victims to the official MeiQia website or create a new iframe to load screenshots from banking or cryptocurrency transactions. It also detects the strings “0.0.8 Chrome/83,” “s/0.0.7,” or “s/0.0.6,” to identify if it is running inside a vulnerable version of Chromium or MeiQia application. The script detects strings such as “electron” and “圆4” to discover Electron-based applications and 圆4 architecture. The weaponized HTML pages contain JavaScript that uses the User-Agent to identify whether the environment of the victim is vulnerable. The latest version of MeiQia is not vulnerable because it runs on the newer version of Chromium core and also opens the external links, not inside the ElectronJS app, but via the default system web browser.
![360 total security download for pc 360 total security download for pc](https://i.ytimg.com/vi/XMIo72qeMAA/maxresdefault.jpg)
Review of the code shows that old versions of MeiQia open external links inside their ElectronJS applications and render the web page without sandboxing. The initial scammers used an old version of MeiQia, which might be vulnerable to exploits. We found weaponized HTML pages created by Water Labbu that leverages the same Chromium vulnerability to attack the MeiQia application. In this scenario, it leveraged cross-site scripting (XSS) techniques to force the exploit to be rendered in a window without sandboxing. A recent research paper on Electron security demonstrated a successful exploitation of an Electron-based application using CVE-2021-21220. The infection is initiated when) the initial scammer (in essence, the victim) opens a weaponized webpage (likely sent to them via livechat).