Javascript Leads to Browser Hijacking

I came across this nasty-looking script that hijacks your browser. It appears to have been around in some shape or form since 2014 but this latest version deploys an aggressive tactic I’ve not seen before. Here’s what this script looks like:

2016-10-08_01

The script is composed of variables and functions but finding the beginning and ending of one is made difficult because of the lack of whitespace. This script uses tricks like encoded characters, regex search/replace, unusual base conversions, and conditional statements.

Here’s an example of how the author obfuscated his/her script. I’ve highlighted one variable that gives you no clue as what it contains.

2016-10-08_02

If you unescape the script, it becomes more readable but not by a lot.

2016-10-08_03

If you evaluate it, you find that all that nonsense code does is build a string of letters and numbers. This is used to generate random strings later.

2016-10-08_04

Here’s how the obfuscation works. Look at the following statement:
"ca"[(5.0+":w\x88ECZ~\x89D&5Fr"['charCodeAt'](9)*932840649)["toString"](("*t3\x856<Ajl\x87OfF"['charCodeAt'](2)*0+33.0))](/[c]/g,"");

And focus on this part first:
(5.0+":w\x88ECZ~\x89D&5Fr"['charCodeAt'](9)*932840649)

This becomes:
5 + 38 * 932840649 = 35447944667

Then we look at this part:
("*t3\x856<Ajl\x87OfF"['charCodeAt'](2)*0+33.0)

Which becomes:
116 * 0 + 33 = 33

When you combine the two statements above, you are essentially converting the long number from base33 to text which yields the word “replace”:
[(5.0+":w\x88ECZ~\x89D&5Fr"['charCodeAt'](9)*932840649)["toString"](("*t3\x856<Ajl\x87OfF"['charCodeAt'](2)*0+33.0))]

So in short, the original statement can be distilled down to the following which returns “a”:
"ca"[replace](/[c]/g, "");

Clever.

Here’s some of the more interesting things this script does.

The script makes a copy of wscript.exe, renames it to something random, and saves it to a new folder in the user’s AppData\Roaming directory. It then makes a copy of itself. The copy of wscript.exe is used to run the script. The script then sets the following registry keys to hide the folder.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000002
"ShowSuperHidden"=dword:00000000

It then creates a shortcut to the script called “Start” and saves it to the user’s startup folder. The shortcut has a folder icon to trick the user. If the user double-clicks on the “folder”, he/she ends up running the script.

2016-10-08_05

The script will check if it can get access to Microsoft, Google, or Bing. If so then it will continue and then proceed to send data about the computer to urchintelemetry .com and downloads an encrypted file from 95.153.31 .22 .

2016-10-08_06

The downloaded file is another script. The highlighted section shows the attempt to change IE, Firefox, and Chrome’s start page to login.hhtxnet .com .

2016-10-08_07

If you open your browser, you will end up redirected to portalne .ws .

2016-10-08_08

What’s interesting is that if you visit the CnC website, it looks broken.

2016-10-08_09

However, when a correct POST is made, you get a response but it’s not visible. Here you can see the HTML source contains a response hidden in the body tag.

2016-10-08_10

The script makes use of WMI to ensure security software won’t interfere with its tasks. Here’s an excerpt that shows you the security-related software it’s tracking.

2016-10-08_11

If any of the following programs are run, the process is terminated in an unusual way. Here we see that the script creates a fake error message to make the user think the program is not working.

2016-10-08_12

Let’s see this in action. Here I run Autoruns and the program quits and I get this on the screen.

2016-10-08_13

There’s one more trick up its sleeve. Here’s the excerpt from the script.

2016-10-08_14

This gem executes if you terminate the WScript process associated with the script. In other words, if you stop the script, your computer shuts down immediately.

If you end up with this script on your computer, you can easily get rid of it by restarting in Safe Mode (or logging into another account) then removing the startup link and roaming folder. If you wish to analyze the script while it’s running then simply rename your security tool to something benign.

File: sample1.js
MD5: C8B5A9FB9D573B00E1B5E957BD294C11
VT: 7 / 54

File: sample2.js
MD5: 8EA3EE6DF8CF28ABB220CD8615CC654B
VT: 18 / 54

Posted in Malscript | Tagged , , , | Comments Off on Javascript Leads to Browser Hijacking

Tools Update

Several programs have been updated. You can find them on the Tools page.

Converter
Notable changes since the last version:
– Changed textbox font to Courier to improve readability
– Added reverse file option
– Added compare files option
– Consolidated extract and swap functions
– Added count of rows
– Added keep and strip differences to filter menu
– Replaced Hex Format %00 option with %u00
– Replaced Toggle Case format to separate lower/upper case
– Improved Mixed CHR() to Text function
– Added additional options to count delimiters
– Fixed hex-to-text function to better handle nulls

2016-09-30_01

Registry Dumper
I was asked by a reader to suppress the multiple error popups that occur when scanning certain keys with SYSTEM privileges. In this release, only one error will appear then it won’t show up again.

2016-09-30_02

Text Decoder Toolkit
This release is almost a complete re-write of the original version. A lot of things were moved around and included to make it more useful for CTF challenges. The startup takes a bit longer than usual because of the number of textboxes it has to render on the character substitution table form.

2016-09-30_03

URL Revealer
This version now includes the ability to show headers instead of just the URLs. Here’s two examples, a Locky downloader and script (thank you to Malware-Traffic-Analysis and VirusTotal Intelligence for samples). By default, only the URLs are displayed but you can enable the switch to show the headers.

2016-09-30_04

Posted in Tools | Tagged , , , , , | Comments Off on Tools Update

Locky JS and URL Revealer

From various reports, it appears that the malicious Javascript files sent via email that pull Locky down is back.

Let’s see what these scripts look like:

2016-06-22_01

At the bottom of the script, is this function that reverses the string above, joins the characters, then evaluates it:

eval(aBN3DmdER7P.split(”).reverse().join(”));

Since we’re dealing with JScript, we can just do this and capture the result instead of executing it:

WScript.Echo(aBN3DmdER7P.split(”).reverse().join(”));

Now we get this:

2016-06-22_02

This script employs a lot of nonsense functions that just returns exactly what gets sent to it in an attempt to make it harder to figure out what’s going on.

After I beautify the script and scan through everything, I come across the main function that downloads a file from the Internet. It’s using the familiar AJAX method.

2016-06-22_03

I echo out the URL array to see where the requests are going. There’s three URLs it’s attempting to connect to. If the site is up then Locky gets downloaded and executed.

2016-06-22_04

This round of scripts are similar to the ones that were sent before the Locky gang took a break. If you’ve been tracking their scripts, you know that they make a lot of changes to bypass filters but they are essentially all AJAX downloaders.

Instead of trying to keep up with their constant script variations, why not use a web proxy I thought? You just run the script in a VM and catch the URLs being called. There’s Fiddler, Paros, Burp, etc I could use but I thought I would try to make something more lightweight and portable.

URL Revealer
Here’s my take on a web proxy. This program will capture the request from these scripts and drop it so it won’t download the malware from the Internet. This way you can see the URLs and take the necessary action quickly and without having to deobfuscate the script.

When you run URL Revealer (in a VM!), it will automatically set up a proxy server on port 8080 and write the captured URLs to a text file to the app path. You should open up your browser and test it to make sure it’s working properly before executing the script you want to analyze. You should also set your VM’s network adapter to “host-only” while doing this just to be safe.

Here’s what it looks like when I run four recent Locky scripts plus two from the past two weeks:

2016-06-22_05

I killed the wscript process in between runs otherwise the script would just keep going. URL Revealer will ignore repeated hits to the same URL as long as it’s exactly the same as the one before.

When you are done, press to quit so that URL Revealer can disable the proxy server. If you forget, just run URL Revealer and hit enter a couple of times until it quits.

If you run the program from an elevated command line, you can change the proxy port as well as the capture filename.

2016-06-22_06

Over the past several months, I saw four methods used by various scripts to download malware from the Internet – ajax, winhttp, bitsadmin, and powershell. URLRevealer should detect and block the requests for all of these methods. If you encounter a new method, please let me know.

You can get the program here.

Posted in Malicious Email, Malscript, Tools | Tagged , , , , | Comments Off on Locky JS and URL Revealer

Script Deobfuscator Updated

Continuing from my last blog post, I updated the program to handle the latest obfuscated Javascript technique. I made the logic generic in order to handle future versions and variants so the results may come out a bit weird (e.g. stray tick marks). But the main thing is that you’ll be able to see what these scripts are doing.

I broke out the concatenation option by script type so this should improve the results somewhat better than before.

2016-02-22_01

2016-02-22_02

2016-02-22_03

I hope this works for most of the scripts you encounter. And thank you for your continued support!

Posted in Malscript, Tools | Tagged , , , | Comments Off on Script Deobfuscator Updated

Deobfuscating a Hideous-Looking JS Downloader

One of my readers, Stefano from zanna.it (thanks!), sent me this little gem:

2016-02-21_01

In the midst of seemingly random strings, there are clues to its structure but there’s very little to go on. I started off by grabbing a portion of the script and having it show me what the variable contains.

2016-02-21_02

The string of gibberish is lined up in an array but only the last value is collected. Here, you can see the individual characters that make up the call to the URL.

2016-02-21_03

I found another script that employs the same method. In this version, the values outside of the elements between parenthesis are collected. The first section spells out “ActiveXObject”.

2016-02-21_04

Here’s yet another script that uses the same method and then takes it up another level. The first section also spells out “ActiveXObject” but this time, it makes use of an interesting behavior where the first character of the string attached to the “.e()” property is collected. Note: You need to unescape the script to convert the decimal values to a single character.

2016-02-21_05

Writing a program to extract the correct value is a little tricky but doable. I’ll need to test this further before releasing the program but it seems to work.

Example #1

2016-02-21_06

Example #2

2016-02-21_07

Example #3…for this one, I had to unescape the script first.

2016-02-21_08

In these three example scripts, it downloads an executable, saves it to the temp folder then executes it.

Posted in Malicious Email, Malscript | Tagged , | Comments Off on Deobfuscating a Hideous-Looking JS Downloader