When the weaponized HTML pages detect a vulnerable target, it will proceed with loading additional stages of the attack.
The embedded shellcode can either be a Cobalt Strike stager or a complex batch command capable of stealing credentials, and downloading and running other scripts and files.
Regardless if the embedded shellcode is the stager or the custom batch script, we noticed that the set of malicious operations that were being performed were largely the same:
1) Download and install Cobalt Strike
2) Steal cookies and other important files
3) Download and patch the MeiQia app
4) Download additional spying software
5) Provide information about the infection progress by communicating with the report-collecting server, among others
The Cobalt Stike stager is usually encrypted (XOR, AES), encoded (Base64, hexadecimal), and embedded into a Golang shellcode runner to make payload detection more difficult. The malware operator was likely inspired by this blog post.
It attempts to steal *.txt files in “\desktop\,” “\Telegram Desktop\,” and MeiQia cookies in “\AppData\Roaming\com.meiqia.windows\cookies.” These files are included in a specially crafted .html file and submitted to the information-collecting server with the help of headless Chrome (without visible UI) or Internet Explorer (if submission with Chrome fails). The specially crafted .html file contains one form, one input text with the computer name, and one text area with stolen content. After the timeout expires, the script will automatically submit the content to a typosquatting domain.