Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malicious Office Docs Install Proxies to Spy on HTTPS Traffic

Malicious Microsoft Office documents have long been used to deliver malware onto the computers of unsuspecting users, but it appears that attackers are now abusing them in a new manner: to install rogue proxies.

Malicious Microsoft Office documents have long been used to deliver malware onto the computers of unsuspecting users, but it appears that attackers are now abusing them in a new manner: to install rogue proxies.

Discovered by Microsoft, the new attack relies on legitimate Office object linking and embedding (OLE) functionality to trick users into downloading malicious content onto their computers. The method is not new, and Microsoft already explained how attackers leverage Office’s OLE to hide malicious code, but the final payload is different this time.

The purpose of this attack, Alden Pornasdoro and Vincent Tiu from the Microsoft Malware Protection Center reveal, is to change the browser Proxy Server setting on the victim’s machine. Thus, the attackers would be able to steal authentication credentials or other sensitive information.

Detected as Trojan:JS/Certor.A, the JScript malware is distributed via spam emails that have the malicious Office documents attached to them. The attachment, a .docx file, contains an OLE Embedded Object meant to run a script when double-clicked. The script attempts to masquerade by changing its icon to something that resembles an invoice or receipt, Microsoft explains.

The malicious script, which is obfuscated to hide its code, is disguised as a harmless file. De-obfuscation reveals that a script packs encrypted PowerShell scripts and its own certificate, and Microsoft explains that the certificate is later used to enable monitoring of HTTPS content and traffic.

When the script is double-clicked, it drops a series of components in the %Temp% folder and executes them. A cert.der file is added as certificate for traffic monitoring purposes, while a ps.ps1 file is responsible for ensuring that the certificate is installed on the compromised device.

There is also a psf.ps1 file responsible for adding the certificate to Firefox, because this browser uses its own certificate store instead of the one provided by the operating system, Microsoft notes. Finally, a pstp.ps1 file is responsible for installing the Tor client, task scheduler and proxifier. Apparently, this too is part of the malware’s technique to tamper with the browser’s Proxy Settings.

Next, to modify Internet Explorer’s proxy settings, the JScript makes specific changes to a registry key, Microsoft explains: in subkey HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings, the malware sets value AutoConfigURL with data http://pysvonjm6a7idbkz(.)onion/rejtyahf.js?ip=<host ip address>.

Advertisement. Scroll to continue reading.

“When the URL is invoked, the following script code is returned. This code suggests that it is redirecting URLs to a specific proxy which may lead to websites hosting phishing and ad campaigns. At this point the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned. This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information, or web credentials could be stolen remotely, without user awareness,” Microsoft’s researchers say.

To stay protected, users are advised to open and interact only with messages and attachments from sources they recognize and trust. Admins can modify a specific registry key to ensure that the OLE packages are not executed. The registry key HKCUSoftwareMicrosoftOffice<Office Version><Office application>SecurityPackagerPrompt should be set to 2, which disables packages.

Related: Office’s OLE Leveraged to Hide Malicious Code

Related: Hackers Can Intercept HTTPS URLs via Proxy Attacks

Related: Microsoft Blocks Risky Macros in Office 2016

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.