Security Experts:

Malicious Office Docs Install Proxies to Spy on HTTPS Traffic

Malicious Microsoft Office documents have long been used to deliver malware onto the computers of unsuspecting users, but it appears that attackers are now abusing them in a new manner: to install rogue proxies.

Discovered by Microsoft, the new attack relies on legitimate Office object linking and embedding (OLE) functionality to trick users into downloading malicious content onto their computers. The method is not new, and Microsoft already explained how attackers leverage Office’s OLE to hide malicious code, but the final payload is different this time.

The purpose of this attack, Alden Pornasdoro and Vincent Tiu from the Microsoft Malware Protection Center reveal, is to change the browser Proxy Server setting on the victim’s machine. Thus, the attackers would be able to steal authentication credentials or other sensitive information.

Detected as Trojan:JS/Certor.A, the JScript malware is distributed via spam emails that have the malicious Office documents attached to them. The attachment, a .docx file, contains an OLE Embedded Object meant to run a script when double-clicked. The script attempts to masquerade by changing its icon to something that resembles an invoice or receipt, Microsoft explains.

The malicious script, which is obfuscated to hide its code, is disguised as a harmless file. De-obfuscation reveals that a script packs encrypted PowerShell scripts and its own certificate, and Microsoft explains that the certificate is later used to enable monitoring of HTTPS content and traffic.

When the script is double-clicked, it drops a series of components in the %Temp% folder and executes them. A cert.der file is added as certificate for traffic monitoring purposes, while a ps.ps1 file is responsible for ensuring that the certificate is installed on the compromised device.

There is also a psf.ps1 file responsible for adding the certificate to Firefox, because this browser uses its own certificate store instead of the one provided by the operating system, Microsoft notes. Finally, a pstp.ps1 file is responsible for installing the Tor client, task scheduler and proxifier. Apparently, this too is part of the malware’s technique to tamper with the browser’s Proxy Settings.

Next, to modify Internet Explorer’s proxy settings, the JScript makes specific changes to a registry key, Microsoft explains: in subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, the malware sets value AutoConfigURL with data http://pysvonjm6a7idbkz(.)onion/rejtyahf.js?ip=<host ip address>.

“When the URL is invoked, the following script code is returned. This code suggests that it is redirecting URLs to a specific proxy which may lead to websites hosting phishing and ad campaigns. At this point the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned. This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information, or web credentials could be stolen remotely, without user awareness,” Microsoft’s researchers say.

To stay protected, users are advised to open and interact only with messages and attachments from sources they recognize and trust. Admins can modify a specific registry key to ensure that the OLE packages are not executed. The registry key HKCU\Software\Microsoft\Office\<Office Version>\<Office application>\Security\PackagerPrompt should be set to 2, which disables packages.

Related: Office's OLE Leveraged to Hide Malicious Code

Related: Hackers Can Intercept HTTPS URLs via Proxy Attacks

Related: Microsoft Blocks Risky Macros in Office 2016

view counter