It is known that crooks have been leveraging malevolent Microsoft Office files for a long time to infect victims` PCs with different types of malware pieces. Now, however, the attackers have started using MS docs for another reason: to install proxies to spy on HTTPS traffic.
As Microsoft explains, this new attack tactic is utilizing legitimate Office object linking and embedding (OLE) functionality to fool victims to download malicious content on their machines. Actually, the technique of using Office’s OLE to hide malicious code is not newly found and Microsoft has already explained how exactly the process goes. What is new in this case is the final payload.
Alden Pornasdoro and Vincent Tiu from the Microsoft Malware Protection Center explain what the crooks intentions with this attack are. The final purpose is the browser Proxy Server settings on the victims` computer to be changed, which will provide the attackers access to login credentials and other valuable data.
The JScript malware, detected as Trojan:JS/Certor.A, arrives at its desired destination via malicious spam messages with attached MS docs. The file attached, named “.docx” has an OLE Embedded Object which, when double-clicked, is launched. The script disguises itself by changing its icon to something that looks harmless, like a receipt or an invoice, and it is obfuscated to hide its code.
Microsoft explains that de-obfuscation shows that the script contains encrypted PowerShell scripts and its own certificate, which is later used to allow HTTPS content and traffic monitoring. When the victim double-clicks on the script, it delivers several files in the %Temp% folder and launches them into execution.
A “cert.der” file is added as certificate to monitor traffic and a “ps.ps1” file has to make sure that the certificate has been properly installed on the infected computer. Another file “psf.ps1” has the responsibility to add the certificate to the Mozilla Firefox browser because it has its own certificate store instead of the one provided by the OS. Lastly, a “pstp.ps1” files installs the Tor client, task scheduler and proxifier, which are also needed for the browser`s Proxy Settings to be altered.
Microsoft explains that in order to change the Internet Explorer`s proxy settings, the Jscript make some specific modifications to a registry key: in subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, the malware sets value AutoConfigURL with data http://pysvonjm6a7idbkz(.)onion/rejtyahf.js?ip=.
“When the URL is invoked, the following script code is returned. This code suggests that it is redirecting URLs to a specific proxy which may lead to websites hosting phishing and ad campaigns. At this point the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned. This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information, or web credentials could be stolen remotely, without user awareness.” – Microsoft’s researchers say.
For better protection, users are strongly advised to not open emails and attachments from unknow or suspicious senders. Admins can also modify a registry key to stop the OLE packages from being launched into execution. The registry key HKCU\Software\Microsoft\Office\\\Security\PackagerPrompt should be set to 2, which disables packages.