关闭

Double-click me not: Malicious proxy settings in OLE Embedded Script

392人阅读 评论(0) 收藏 举报
分类:

Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigations investments in Windows. Tricking a user into running a malicious file or malware can be cheaper for an attacker than building an exploit which works on Windows 10. In our previous blog, Where’s the macro, we reviewed how attackers leverage social engineering to misuse the legitimate Office object linking and embedding (OLE) functionality to trick users into enabling and downloading malicious content.

We recently came across a threat that uses the same social engineering trick but delivers a different payload. Its primary purpose is to change a user’s browser Proxy Server setting which could result in the theft of authentication credentials or other sensitive information. We detect this JScript malware as Trojan:JS/Certor.A.

What’s not unique is that the malware gets into the victim’s computer when the victim clicks the email attachment from a spam campaign.

Sample email lures potential Certor victim shows as it pretends to be a document (.docx file) from a legitimate company

Figure 1: The sample email shows how the threat pretends to be a document (.docx file) from a legitimate company.

 

Inside the .docx file is an OLE Embedded Object which runs a script when double-clicked. It tries to mask itself by changing its icon to something that resembles an invoice or receipt.

The file contains text written in German: Um Quittung zu sehen, klicken Sie zwei Mal auf dem Bild, which translates: “To see a receipt, click twice on the screen.”

Figure 2: The file contains text written in German: Um Quittung zu sehen, klicken Sie zwei Mal auf dem Bild, which translates: “To see a receipt, click twice on the screen.”

 

Double-clicking the image runs the JScript that is disguised to appear as a harmless file.

The JS file typically has file names such as, paypal_bestellung.js and post.ch_65481315.js.

Figure 3: The JS file typically has file names such as, paypal_bestellung.js and post.ch_65481315.js.

 

But if the script was executed, it would proceed with its malicious objective which is described in the remainder of this blog post.

What is in the script?

The JScript is obfuscated to hide its code and the other script it contains.

A screnshot of the JScript malware that we detect as Trojan:JS/Certor.A

Figure 4: We detect this JScript malware as Trojan:JS/Certor.A

 

Upon deobfuscation, the main script code is revealed.

Screenshot of the script that is responsible for dropping, executing its components, and modifying registry keys related to the browser’s proxy settings.

Figure 5: This is the script that is responsible for dropping, executing its components, and modifying registry keys related to the browser’s proxy settings.

 

The main JScript code contains encrypted PowerShell scripts and its own certificate. The certificate is later used to enable monitoring of HTTPS content and traffic.

Screenshot of the other script components are decrypted using the above function.

Figure 6: The other script components are decrypted using the above function.

 

The following component files would be dropped in the temp folder and executed.

Screenshot of sample component files dropped.

Figure 7: Sample component files dropped

 

The malware carries a certificate of its own (cert.der).

Screenshot of the sample certificate information from this malware.

Figure 8: Sample certificate information from this malware

 

Screenshot of the sample certificate details

Figure 9: Sample certificate details

 

Screenshot of certificate details

Figure 10: Further certificate details

 

The threat adds the cert.der file as certificate so it can monitor HTTPS content and traffic.

certor11

Figure 11: A screenshot of the sample certificate added by this threat

 

The ps.ps1 file is responsible for making sure the certificate is installed.

Screenshot of the PowerShell code that we detect as Trojan:PowerShell/Certor.A

Figure 12: We detect these PowerShell code as Trojan:PowerShell/Certor.A

 

The psf.ps1 file is responsible for adding its certificate to Mozilla Firefox browser. This is necessary because Firefox uses its own certificate store instead of the one provided by the operating system.

Screenshot of a sample script that the threat used to add the certificate in Firefox.

Figure 13: Sample script that the threat used to add the certificate in Firefox

 

The pstp.ps1 file is responsible for installing the Tor client, task scheduler and proxifier. This is another malware technique to tamper with the browser’s Proxy Settings.

Screenshot of sample script that the threat used to install the Tor client, task scheduler and proxifier

Figure 14: Sample script that the threat used to install the Tor client, task scheduler and proxifier

 

The main JScript changes the following registry key to modify Internet Explorer’s proxy settings.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: AutoConfigURL
With data: http://pysvonjm6a7idbkz.onion/rejtyahf.js?ip=<host ip address>

Screenshot of the registry entry that this threat changes

Figure 15: Screenshot of the registry entry that this threat changes

 

When the URL is invoked, the following script code is returned. This code suggests that it is redirecting URLs to a specific proxy which may lead to websites hosting phishing and ad campaigns.

Screenshot of the function that is revealed upon the script deobfuscation: function FindProxyForURL(url,host){return"DIRECT"}

Figure 16: Upon the script deobfuscation, the following readable function is revealed: function FindProxyForURL(url,host){return”DIRECT”}

 

At this point the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned. This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information, or web credentials could be stolen remotely, without user awareness.

Recommendations

To avoid attacks like we have just detailed, it is recommended that you only open, and interact with messages from senders and websites that you recognize and trust. For added defense-in-depth, you can reduce the risk from this threat by following the guidance in our previous blog post on how to adjust the registry settings to help prevent OLE Embedded Objects from executing altogether, or from running without your explicit permission.

 

Alden Pornasdoro and Vincent Tiu

MMPC

0
0
查看评论

Java ME Embedded和Java Embedded Suite:嵌入式市场的新兴Java技术

作者: 原作网址:
  • xiaominthere
  • xiaominthere
  • 2014-10-12 21:05
  • 783

Android Studio Configuration 版本更新及代理设置

1.Android Studio 更新渠道  (Update channels) android studio有四种更新渠道 Canary(金丝雀版)  带有bugs  每周更新一次 (不推荐开发)dev(开发版)  每两周或一月更新一次  ba...
  • u013087907
  • u013087907
  • 2016-12-13 11:28
  • 790

If you are behind an HTTP proxy, please configure the proxy settings either in IDE or Gradle.(AS报错)

If you are behind an HTTP proxy, please configure the proxy settings either in IDE or Gradle.问题解决方案
  • qq_15809599
  • qq_15809599
  • 2016-11-19 15:19
  • 1190

If you are behind an HTTP proxy, please configure the proxy settings either in IDE or Gradle.

解决方案: (1)取消勾选offLine work (2)重启Android Studio (3)再勾选上offLine work (4)然后如果有就会报gradle版本的错误,下载相应gradle版本放在相应位置即可。
  • u012369385
  • u012369385
  • 2017-01-06 15:22
  • 701

Elasticsearch 5.1.1 Embedded Mode

Elasticsearch 5.1.1 与2.X的Embedded Mode有了较大不同。搭梯子查了一下,在此做个记录:Node节点要做一下扩充public class EmbedNode extends org.elasticsearch.node.Node{ public EmbedN...
  • applebomb
  • applebomb
  • 2017-01-09 14:31
  • 777

Change Internet Proxy settings

Introduction Changing proxy settings of IE is a frequent requirement of mine. Then I got the idea of writing a tool by myself, at last. I have not ...
  • gold0523
  • gold0523
  • 2014-07-28 23:42
  • 1745

charles提示“SSL Proxying not enabled for this host: enable in Proxy Settings, SSL locations”

出现这种情况,charles解析不出path,我们就没法建立映射。 具体的解决方案为在proxy中的SSL Proxying setting中钩上Enable SSL Proxying,并且将要解析的host加上。如下图:
  • jiang_mingyi
  • jiang_mingyi
  • 2017-12-19 18:54
  • 750

在Raspberry Pi上使用Java SE Embedded

译者前言: 很久以来我都很期待Java能在嵌入式领域有所作为,之前的JavaME实在令我大失所望,不但被严重“阉割”,而且在硬件方面也没什么厂商支持。所以Java除了在图形界面设计(被人诟病的Swing)方面存在遗憾之外,在嵌入式领域也几乎被人遗忘。我不得不继续捧着Qt(一个跨平台的C++图形...
  • jacktan
  • jacktan
  • 2013-02-19 22:42
  • 6439

android stuido 报 If you are behind an HTTP proxy, please configure the proxy set

android studio报这个异常:Error:Connection timed out: connect. If you are behind an HTTP proxy, please configure the proxy settings either in IDE or Gradle ...
  • wzh_indoorsman
  • wzh_indoorsman
  • 2016-03-05 22:56
  • 1936

火狐驱动代理配置-use system proxy

操作系统  ubuntu15.10 今天在使用火狐驱动的事情遇到一件很蛋疼的事情,就是加载页面的时候一直用系统自带的代理设置,这样导致无法链接网络,在网上查找好久,找到一种解决方法,直接设定代理ip方式: FirefoxProfile ffp=new FirefoxProfile(); f...
  • gdfdgreg
  • gdfdgreg
  • 2016-12-12 10:00
  • 179
    个人资料
    • 访问:806730次
    • 积分:8230
    • 等级:
    • 排名:第2955名
    • 原创:23篇
    • 转载:844篇
    • 译文:2篇
    • 评论:26条
    最新评论