Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

JavaScript Uses Aggressive Persistence Functions

Security researchers have found a malicious script that uses aggressive tactics to hijack web browsers and prevent users from removing it from infected computers.

Security researchers have found a malicious script that uses aggressive tactics to hijack web browsers and prevent users from removing it from infected computers.

The threat doesn’t appear to be new, but the security researchers from Kahu Security say that the aggressive tactics that the latest version employs haven’t been seen before. What’s more, the script’s author(s) heavily obfuscated it to hinder analysis, they explain.

The script contains numerous variables and functions but doesn’t use whitespaces, which makes it difficult for analysts to correctly identify them. Moreover, the JavaScript contains encoded characters regex search/replace, unusual base conversions, and conditional statements in an effort to hide its malicious intent.

To ensure persistence on the infected machine, the script makes a copy of wscript.exe, then renames it to a random name and saves it to a new folder in the user’s AppDataRoaming directory. The malicious code also makes a copy of itself and abuses the newly created copy of wscript.exe to run the script.

The security researchers also observed that the script sets specific registry keys to hide the folder, and then creates a shortcut to it in the startup folder. Dubbed “Start,” the shortcut was designed to trick users into running the script. It is also meant to ensure that the script runs each time Windows starts.

Moreover, the script checks if it can get access to Microsoft, Google, or Bing and then sends data about the infected computer to urchintelemetry[.]com and downloads an encrypted file from 95.153.31[.]22. This file is a script meant to change the start page in Internet Explorer, Firefox, and Chrome to login.hhtxnet[.]com.

When launching a browser, the user is redirected to portalne[.]ws, researchers say, adding that the script’s command and control (C&C) website looks broken when visited, but that it would deliver a response if a correct POST is made. The response, however, is hidden in the body tag and not visible to the user.

The malware also abuses Windows Management Instrumentation (WMI) to make sure that it can keep security software away from its tasks. Thus, if specific programs run, the script terminates their process in an unusual way, displaying a message meant to fool the user into thinking the program is not working.

Advertisement. Scroll to continue reading.

To further ensure persistence, the script executes a specific command if the user terminates the WScript process associated with it, causing the computer to shut down immediately. To remove it, users have to restart in Safe Mode or log into another account, then remove the startup link and roaming folder. Security researchers interested in analyzing the script while it’s running are advised to rename their security tool to something benign.

“A key take away from this report is that the malware itself shuts down if it detects security software running despite implementing layers of obfuscation presumably designed to thwart detection,” Craig Young, a Cybersecurity Researcher for Tripwire, told SecurityWeek. “The relatively simplistic tricks this malware makes are no match for any decent end point protection tool.” 

Related: Ursnif Banking Trojan Uses New Sandbox Evasion Techniques

Related: Clever Techniques Help Malware Evade AV Engines

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.