Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malicious Office Docs Install Proxies to Spy on HTTPS Traffic

Malicious Microsoft Office documents have long been used to deliver malware onto the computers of unsuspecting users, but it appears that attackers are now abusing them in a new manner: to install rogue proxies.

Malicious Microsoft Office documents have long been used to deliver malware onto the computers of unsuspecting users, but it appears that attackers are now abusing them in a new manner: to install rogue proxies.

Discovered by Microsoft, the new attack relies on legitimate Office object linking and embedding (OLE) functionality to trick users into downloading malicious content onto their computers. The method is not new, and Microsoft already explained how attackers leverage Office’s OLE to hide malicious code, but the final payload is different this time.

The purpose of this attack, Alden Pornasdoro and Vincent Tiu from the Microsoft Malware Protection Center reveal, is to change the browser Proxy Server setting on the victim’s machine. Thus, the attackers would be able to steal authentication credentials or other sensitive information.

Detected as Trojan:JS/Certor.A, the JScript malware is distributed via spam emails that have the malicious Office documents attached to them. The attachment, a .docx file, contains an OLE Embedded Object meant to run a script when double-clicked. The script attempts to masquerade by changing its icon to something that resembles an invoice or receipt, Microsoft explains.

The malicious script, which is obfuscated to hide its code, is disguised as a harmless file. De-obfuscation reveals that a script packs encrypted PowerShell scripts and its own certificate, and Microsoft explains that the certificate is later used to enable monitoring of HTTPS content and traffic.

When the script is double-clicked, it drops a series of components in the %Temp% folder and executes them. A cert.der file is added as certificate for traffic monitoring purposes, while a ps.ps1 file is responsible for ensuring that the certificate is installed on the compromised device.

There is also a psf.ps1 file responsible for adding the certificate to Firefox, because this browser uses its own certificate store instead of the one provided by the operating system, Microsoft notes. Finally, a pstp.ps1 file is responsible for installing the Tor client, task scheduler and proxifier. Apparently, this too is part of the malware’s technique to tamper with the browser’s Proxy Settings.

Next, to modify Internet Explorer’s proxy settings, the JScript makes specific changes to a registry key, Microsoft explains: in subkey HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings, the malware sets value AutoConfigURL with data http://pysvonjm6a7idbkz(.)onion/rejtyahf.js?ip=<host ip address>.

“When the URL is invoked, the following script code is returned. This code suggests that it is redirecting URLs to a specific proxy which may lead to websites hosting phishing and ad campaigns. At this point the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned. This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information, or web credentials could be stolen remotely, without user awareness,” Microsoft’s researchers say.

To stay protected, users are advised to open and interact only with messages and attachments from sources they recognize and trust. Admins can modify a specific registry key to ensure that the OLE packages are not executed. The registry key HKCUSoftwareMicrosoftOffice<Office Version><Office application>SecurityPackagerPrompt should be set to 2, which disables packages.

Related: Office’s OLE Leveraged to Hide Malicious Code

Related: Hackers Can Intercept HTTPS URLs via Proxy Attacks

Related: Microsoft Blocks Risky Macros in Office 2016

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.