Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

JavaScript Uses Aggressive Persistence Functions

Security researchers have found a malicious script that uses aggressive tactics to hijack web browsers and prevent users from removing it from infected computers.

Security researchers have found a malicious script that uses aggressive tactics to hijack web browsers and prevent users from removing it from infected computers.

The threat doesn’t appear to be new, but the security researchers from Kahu Security say that the aggressive tactics that the latest version employs haven’t been seen before. What’s more, the script’s author(s) heavily obfuscated it to hinder analysis, they explain.

The script contains numerous variables and functions but doesn’t use whitespaces, which makes it difficult for analysts to correctly identify them. Moreover, the JavaScript contains encoded characters regex search/replace, unusual base conversions, and conditional statements in an effort to hide its malicious intent.

To ensure persistence on the infected machine, the script makes a copy of wscript.exe, then renames it to a random name and saves it to a new folder in the user’s AppDataRoaming directory. The malicious code also makes a copy of itself and abuses the newly created copy of wscript.exe to run the script.

The security researchers also observed that the script sets specific registry keys to hide the folder, and then creates a shortcut to it in the startup folder. Dubbed “Start,” the shortcut was designed to trick users into running the script. It is also meant to ensure that the script runs each time Windows starts.

Moreover, the script checks if it can get access to Microsoft, Google, or Bing and then sends data about the infected computer to urchintelemetry[.]com and downloads an encrypted file from 95.153.31[.]22. This file is a script meant to change the start page in Internet Explorer, Firefox, and Chrome to login.hhtxnet[.]com.

When launching a browser, the user is redirected to portalne[.]ws, researchers say, adding that the script’s command and control (C&C) website looks broken when visited, but that it would deliver a response if a correct POST is made. The response, however, is hidden in the body tag and not visible to the user.

Advertisement. Scroll to continue reading.

The malware also abuses Windows Management Instrumentation (WMI) to make sure that it can keep security software away from its tasks. Thus, if specific programs run, the script terminates their process in an unusual way, displaying a message meant to fool the user into thinking the program is not working.

To further ensure persistence, the script executes a specific command if the user terminates the WScript process associated with it, causing the computer to shut down immediately. To remove it, users have to restart in Safe Mode or log into another account, then remove the startup link and roaming folder. Security researchers interested in analyzing the script while it’s running are advised to rename their security tool to something benign.

“A key take away from this report is that the malware itself shuts down if it detects security software running despite implementing layers of obfuscation presumably designed to thwart detection,” Craig Young, a Cybersecurity Researcher for Tripwire, told SecurityWeek. “The relatively simplistic tricks this malware makes are no match for any decent end point protection tool.” 

Related: Ursnif Banking Trojan Uses New Sandbox Evasion Techniques

Related: Clever Techniques Help Malware Evade AV Engines

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...