Double-click me not: Malicious proxy settings in OLE Embedded Script

Share this…

Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigations investments in Windows. Tricking a user into running a malicious file or malware can be cheaper for an attacker than building an exploit which works on Windows 10. In our previous blog, Where’s the macro, we reviewed how attackers leverage social engineering to misuse the legitimate Office object linking and embedding (OLE) functionality to trick users into enabling and downloading malicious content.

We recently came across a threat that uses the same social engineering trick but delivers a different payload. Its primary purpose is to change a user’s browser Proxy Server setting which could result in the theft of authentication credentials or other sensitive information. We detect this JScript malware as Trojan:JS/Certor.A.

What’s not unique is that the malware gets into the victim’s computer when the victim clicks the email attachment from a spam campaign.

Sample email lures potential Certor victim shows as it pretends to be a document (.docx file) from a legitimate company

Figure 1: The sample email shows how the threat pretends to be a document (.docx file) from a legitimate company.

Inside the .docx file is an OLE Embedded Object which runs a script when double-clicked. It tries to mask itself by changing its icon to something that resembles an invoice or receipt.

The file contains text written in German: Um Quittung zu sehen, klicken Sie zwei Mal auf dem Bild, which translates: “To see a receipt, click twice on the screen.”

Figure 2: The file contains text written in German: Um Quittung zu sehen, klicken Sie zwei Mal auf dem Bild, which translates: “To see a receipt, click twice on the screen.”

Double-clicking the image runs the JScript that is disguised to appear as a harmless file.

The JS file typically has file names such as, paypal_bestellung.js and post.ch_65481315.js.

Figure 3: The JS file typically has file names such as, paypal_bestellung.js and post.ch_65481315.js.

But if the script was executed, it would proceed with its malicious objective which is described in the remainder of this blog post.

What is in the script?

The JScript is obfuscated to hide its code and the other script it contains.

A screnshot of the JScript malware that we detect as Trojan:JS/Certor.A

Figure 4: We detect this JScript malware as Trojan:JS/Certor.A

Upon deobfuscation, the main script code is revealed.

Screenshot of the script that is responsible for dropping, executing its components, and modifying registry keys related to the browser’s proxy settings.

Figure 5: This is the script that is responsible for dropping, executing its components, and modifying registry keys related to the browser’s proxy settings.

The main JScript code contains encrypted PowerShell scripts and its own certificate. The certificate is later used to enable monitoring of HTTPS content and traffic.

Screenshot of the other script components are decrypted using the above function.

Figure 6: The other script components are decrypted using the above function.

The following component files would be dropped in the temp folder and executed.

Screenshot of sample component files dropped.

Figure 7: Sample component files dropped

The malware carries a certificate of its own (cert.der).

Screenshot of the sample certificate information from this malware.

Figure 8: Sample certificate information from this malware

Screenshot of the sample certificate details

Figure 9: Sample certificate details

Screenshot of certificate details

Figure 10: Further certificate details

The threat adds the cert.der file as certificate so it can monitor HTTPS content and traffic.

certor11

Figure 11: A screenshot of the sample certificate added by this threat

The ps.ps1 file is responsible for making sure the certificate is installed.

Screenshot of the PowerShell code that we detect as Trojan:PowerShell/Certor.A

Figure 12: We detect these PowerShell code as Trojan:PowerShell/Certor.A

The psf.ps1 file is responsible for adding its certificate to Mozilla Firefox browser. This is necessary because Firefox uses its own certificate store instead of the one provided by the operating system.

Screenshot of a sample script that the threat used to add the certificate in Firefox.

Figure 13: Sample script that the threat used to add the certificate in Firefox

 

The pstp.ps1 file is responsible for installing the Tor client, task scheduler and proxifier. This is another malware technique to tamper with the browser’s Proxy Settings.

Screenshot of sample script that the threat used to install the Tor client, task scheduler and proxifier

Figure 14: Sample script that the threat used to install the Tor client, task scheduler and proxifier

The main JScript changes the following registry key to modify Internet Explorer’s proxy settings.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: AutoConfigURL
With data: https://pysvonjm6a7idbkz.onion/rejtyahf.js?ip=<host ip address>

Screenshot of the registry entry that this threat changes

Figure 15: Screenshot of the registry entry that this threat changes

When the URL is invoked, the following script code is returned. This code suggests that it is redirecting URLs to a specific proxy which may lead to websites hosting phishing and ad campaigns.

Screenshot of the function that is revealed upon the script deobfuscation: function FindProxyForURL(url,host){return"DIRECT"}

Figure 16: Upon the script deobfuscation, the following readable function is revealed: function FindProxyForURL(url,host){return”DIRECT”}

At this point the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned. This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information, or web credentials could be stolen remotely, without user awareness.

Source:https://blogs.technet.microsoft.com