Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

JavaScript Uses Aggressive Persistence Functions

Security researchers have found a malicious script that uses aggressive tactics to hijack web browsers and prevent users from removing it from infected computers.

Security researchers have found a malicious script that uses aggressive tactics to hijack web browsers and prevent users from removing it from infected computers.

The threat doesn’t appear to be new, but the security researchers from Kahu Security say that the aggressive tactics that the latest version employs haven’t been seen before. What’s more, the script’s author(s) heavily obfuscated it to hinder analysis, they explain.

The script contains numerous variables and functions but doesn’t use whitespaces, which makes it difficult for analysts to correctly identify them. Moreover, the JavaScript contains encoded characters regex search/replace, unusual base conversions, and conditional statements in an effort to hide its malicious intent.

To ensure persistence on the infected machine, the script makes a copy of wscript.exe, then renames it to a random name and saves it to a new folder in the user’s AppDataRoaming directory. The malicious code also makes a copy of itself and abuses the newly created copy of wscript.exe to run the script.

The security researchers also observed that the script sets specific registry keys to hide the folder, and then creates a shortcut to it in the startup folder. Dubbed “Start,” the shortcut was designed to trick users into running the script. It is also meant to ensure that the script runs each time Windows starts.

Moreover, the script checks if it can get access to Microsoft, Google, or Bing and then sends data about the infected computer to urchintelemetry[.]com and downloads an encrypted file from 95.153.31[.]22. This file is a script meant to change the start page in Internet Explorer, Firefox, and Chrome to login.hhtxnet[.]com.

When launching a browser, the user is redirected to portalne[.]ws, researchers say, adding that the script’s command and control (C&C) website looks broken when visited, but that it would deliver a response if a correct POST is made. The response, however, is hidden in the body tag and not visible to the user.

The malware also abuses Windows Management Instrumentation (WMI) to make sure that it can keep security software away from its tasks. Thus, if specific programs run, the script terminates their process in an unusual way, displaying a message meant to fool the user into thinking the program is not working.

Advertisement. Scroll to continue reading.

To further ensure persistence, the script executes a specific command if the user terminates the WScript process associated with it, causing the computer to shut down immediately. To remove it, users have to restart in Safe Mode or log into another account, then remove the startup link and roaming folder. Security researchers interested in analyzing the script while it’s running are advised to rename their security tool to something benign.

“A key take away from this report is that the malware itself shuts down if it detects security software running despite implementing layers of obfuscation presumably designed to thwart detection,” Craig Young, a Cybersecurity Researcher for Tripwire, told SecurityWeek. “The relatively simplistic tricks this malware makes are no match for any decent end point protection tool.” 

Related: Ursnif Banking Trojan Uses New Sandbox Evasion Techniques

Related: Clever Techniques Help Malware Evade AV Engines

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.