A malicious script can hijack web browsers and prevent users from removing the attack from infected computers, researchers said.
The aggressive tactics this version uses have not been seen before, said researchers at Kahu Security.
RELATED STORIES
Ransomware Decryption Tool Releases
Ransomware Changes Extension
Awareness on Rise, Bad Habits Thrive
Few Deploy Network Segmentation
In addition, the script’s author(s) obfuscated it to hinder analysis, they said in a blog post.
The script contains variables and functions but doesn’t use whitespaces, which makes it difficult for analysts to correctly identify them. Also, the JavaScript contains encoded characters regex search/replace, unusual base conversions, and conditional statements in an effort to hide its malicious intent.
To ensure persistence on the infected machine, the script makes a copy of wscript.exe, then renames it to a random name and saves it to a new folder in the user’s AppData\Roaming directory.
The script sets specific registry keys to hide the folder, and then creates a shortcut to it in the startup folder, the researchers said. Dubbed “Start,” the shortcut tricks users into running the script. It is also meant to ensure the script runs each time Windows starts.
Moreover, the script checks if it can get access to Microsoft, Google, or Bing and then sends data about the infected computer to urchintelemetry[.]com and downloads an encrypted file from 95.153.31[.]22. This file is a script meant to change the start page in Internet Explorer, Firefox, and Chrome to login.hhtxnet[.]com.
When launching a browser, the user ends up redirected to portalne[.]ws, researchers said. The script’s command and control (C&C) website looks broken when visited, but it would deliver a response if a correct POST occurs, they added. The response, however, is hidden in the body tag and not visible to the user.
The malware also hits Windows Management Instrumentation (WMI) to make sure it can keep security software away from its tasks.