JavaScript Uses Aggressive Persistence Functions

Security researchers have found a malicious script that uses aggressive tactics to hijack web browsers and prevent users from removing it from infected computers.

The threat doesn’t appear to be new, but the security researchers from Kahu Security say that the aggressive tactics that the latest version employs haven’t been seen before. What’s more, the script’s author(s) heavily obfuscated it to hinder analysis, they explain.

The script contains numerous variables and functions but doesn’t use whitespaces, which makes it difficult for analysts to correctly identify them. Moreover, the JavaScript contains encoded characters regex search/replace, unusual base conversions, and conditional statements in an effort to hide its malicious intent.

To ensure persistence on the infected machine, the script makes a copy of wscript.exe, then renames it to a random name and saves it to a new folder in the user’s AppDataRoaming directory. The malicious code also makes a copy of itself and abuses the newly created copy of wscript.exe to run the script.

The security researchers also observed that the script sets specific registry keys to hide the folder, and then creates a shortcut to it in the startup folder. Dubbed “Start,” the shortcut was designed to trick users into running the script. It is also meant to ensure that the script runs each time Windows starts.

Moreover, the script checks if it can get access to Microsoft, Google, or Bing and then sends data about the infected computer to urchintelemetry[.]com and downloads an encrypted file from 95.153.31[.]22. This file is a script meant to change the start page in Internet Explorer, Firefox, and Chrome to login.hhtxnet[.]com.

When launching a browser, the user is redirected to portalne[.]ws, researchers say, adding that the script’s command and control (C&C) website looks broken when visited, but that it would deliver a response if a correct POST is made. The response, however, is hidden in the body tag and not visible to the user.

The malware also abuses Windows Management Instrumentation (WMI) to make sure that it can keep security software away from its tasks. Thus, if specific programs run, the script terminates their process in an unusual way, displaying a message meant to fool the user into thinking the program is not working.

To further ensure persistence, the script executes a specific command if the user terminates the WScript process associated with it, causing the computer to shut down immediately. To remove it, users have to restart in Safe Mode or log into another account, then remove the startup link and roaming folder. Security researchers interested in analyzing the script while it’s running are advised to rename their security tool to something benign.

“A key take away from this report is that the malware itself shuts down if it detects security software running despite implementing layers of obfuscation presumably designed to thwart detection,” Craig Young, a Cybersecurity Researcher for Tripwire, told SecurityWeek. “The relatively simplistic tricks this malware makes are no match for any decent end point protection tool.” 

Related: Ursnif Banking Trojan Uses New Sandbox Evasion Techniques

Related: Clever Techniques Help Malware Evade AV Engines