Researchers from Kahu Security have come across a new malware variant, coded in javascript, which hijacks your browser's homepage but will also shut down your computer if you detect the intrusion and attempt to terminate its process.

Variants of this malware have been spotted online since 2014, but not as aggressive in their behavior as this latest variation.

The malware arrives on user PCs as a malicious file attachment via email spam, and despite being a JavaScript file, it is not executed inside a browser, but via the windows Script Host, the Windows built-in JavaScript executor.

Malicious actions disguised under heavy obfuscation

Looking at the malware's source code, regular users won't see anything more than a jumble of random characters.

Kahu Security researchers say the script is obfuscated to hide its true payload, a series of operations that change underlying operating system settings. Besides obfuscation, the script also uses tricks like encoded characters, regex search, regex replace, unusual base conversions (script works with base33), and conditional statements.

Once the researchers managed to fight their way through all the entangled source code, they discovered that the script goes through the following steps:

1) Creates a new folder in the AppDataRoaming directory and hides it using a new registry key

1) Copies the legitimate Windows wscript.exe application inside this folder and gives it a random name

3) Copies itself inside this folder and creates a shortcut to itself, which it names "Start" and places in the "Startup" folder, also accessible via the Windows Start Menu

4) Assigns a fake folder icon to the Start shortcut in order to trick users into thinking it's a folder and not a file

5) The rest of the script's code checks for an Internet connection by trying to access Microsoft, Google, or Bing.

6) Sends telemetry data to urchintelemetry[.]com and downloads and runs an encrypted file from 95.153.31[.]22 7) The encrypted file is another JS script that sets the homepage of Chrome, Firefox and IE to login.hhtxnet[.]com, which at the time of writing redirects users to another site: portalne[.]ws

8) This last script uses WMI (Windows Management Instrumentation) to check for security-related software

9) If the script finds security-related software, it terminates execution with a fake error message

10) If users spot the wscript.exe process in their task manager and try to stop this process, the script executes a CLI command that immediately shuts down their computer

11) When the user restarts his PC, because of the "Start" script in the Startup menu, the malicious JS malware starts operating all over again

"If you end up with this script on your computer, you can easily get rid of it by restarting in Safe Mode (or logging into another account) then removing the startup link and roaming folder," Darryl, Kahu Security expert writes. "If you wish to analyze the script while it’s running then simply rename your security tool to something benign."


New JavaScript Malware Shuts Down Your PC If You Terminate Its Process

"Start" script in Startup folder

本文前端(javascript)相关术语:javascript是什么意思 javascript下载 javascript权威指南 javascript基础教程 javascript 正则表达式 javascript设计模式 javascript高级程序设计 精通javascript javascript教程

主题: JavaScriptJavaWindowsChromeFirefox
分页:12
转载请注明
本文标题:New JavaScript Malware Shuts Down Your PC If You Terminate Its Process
本站链接:http://www.codesec.net/view/480534.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 前端(javascript) | 评论(0) | 阅读(39)