Double-click me not: Malicious proxy settings in OLE Embedded Script
Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigations investments in Windows. Tricking a user into running a malicious file or malware can be cheaper for an attacker than building an exploit which works on Windows 10. In our previous blog, Where’s the macro, we reviewed how attackers leverage social engineering to misuse the legitimate Office object linking and embedding (OLE) functionality to trick users into enabling and downloading malicious content.
We recently came across a threat that uses the same social engineering trick but delivers a different payload. Its primary purpose is to change a user’s browser Proxy Server setting which could result in the theft of authentication credentials or other sensitive information. We detect this JScript malware as Trojan:JS/Certor.A.
What’s not unique is that the malware gets into the victim’s computer when the victim clicks the email attachment from a spam campaign.
Figure 1: The sample email shows how the threat pretends to be a document (.docx file) from a legitimate company.
Inside the .docx file is an OLE Embedded Object which runs a script when double-clicked. It tries to mask itself by changing its icon to something that resembles an invoice or receipt.
Figure 2: The file contains text written in German: Um Quittung zu sehen, klicken Sie zwei Mal auf dem Bild, which translates: “To see a receipt, click twice on the screen.”
Double-clicking the image runs the JScript that is disguised to appear as a harmless file.
Figure 3: The JS file typically has file names such as, paypal_bestellung.js and post.ch_65481315.js.
But if the script was executed, it would proceed with its malicious objective which is described in the remainder of this blog post.
What is in the script?
The JScript is obfuscated to hide its code and the other script it contains.
Figure 4: We detect this JScript malware as Trojan:JS/Certor.A
Upon deobfuscation, the main script code is revealed.
Figure 5: This is the script that is responsible for dropping, executing its components, and modifying registry keys related to the browser’s proxy settings.
The main JScript code contains encrypted PowerShell scripts and its own certificate. The certificate is later used to enable monitoring of HTTPS content and traffic.
Figure 6: The other script components are decrypted using the above function.
The following component files would be dropped in the temp folder and executed.
Figure 7: Sample component files dropped
The malware carries a certificate of its own (cert.der).
Figure 8: Sample certificate information from this malware
Figure 9: Sample certificate details
Figure 10: Further certificate details
The threat adds the cert.der file as certificate so it can monitor HTTPS content and traffic.
Figure 11: A screenshot of the sample certificate added by this threat
The ps.ps1 file is responsible for making sure the certificate is installed.
Figure 12: We detect these PowerShell code as Trojan:PowerShell/Certor.A
The psf.ps1 file is responsible for adding its certificate to Mozilla Firefox browser. This is necessary because Firefox uses its own certificate store instead of the one provided by the operating system.
Figure 13: Sample script that the threat used to add the certificate in Firefox
The pstp.ps1 file is responsible for installing the Tor client, task scheduler and proxifier. This is another malware technique to tamper with the browser’s Proxy Settings.
Figure 14: Sample script that the threat used to install the Tor client, task scheduler and proxifier
The main JScript changes the following registry key to modify Internet Explorer’s proxy settings.
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings
Sets value: AutoConfigURL
With data: http://pysvonjm6a7idbkz.onion/rejtyahf.js?ip=<host ip address>
Figure 15: Screenshot of the registry entry that this threat changes
When the URL is invoked, the following script code is returned. This code suggests that it is redirecting URLs to a specific proxy which may lead to websites hosting phishing and ad campaigns.
Figure 16: Upon the script deobfuscation, the following readable function is revealed: function FindProxyForURL(url,host){return”DIRECT”}
At this point the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned. This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information, or web credentials could be stolen remotely, without user awareness.
Recommendations
To avoid attacks like we have just detailed, it is recommended that you only open, and interact with messages from senders and websites that you recognize and trust. For added defense-in-depth, you can reduce the risk from this threat by following the guidance in our previous blog post on how to adjust the registry settings to help prevent OLE Embedded Objects from executing altogether, or from running without your explicit permission.
Alden Pornasdoro and Vincent Tiu
MMPC