Trojan:JS/Certor.A

Installation

This threat gets into your PC through email attachment from a spam campaign. It has a longer code, has more functions, and has the goal of routing your web traffic by changing your browser’s Proxy Server setting.

The email attachment pretends to be a document (.docx) from a legitimate company. Inside the .docx file is an OLE Embedded Object - a script that tries to mask itself by changing its icon to something that resembles an invoice or receipt.

The file contains a text written in German: Um Quittung zu sehen, klicken Sie zwei Mal auf dem Bild, which translates to “To see a receipt, click twice on the screen.”

Double-clicking the image runs the JScript that is disguised as a harmless file.

The JS file typically has file names such as, paypal_bestellung.js and post.ch_65481315.js.

In our previous blog, Where’s the macro: Malware authors are now using OLE embedding to deliver malicious files, we have discussed this type of malware trick and talked about how to prevent them from running.

But if the script was executed, it proceeds with its malicious objective. The JScript is obfuscated to hide its code and the other script it contains. Upon deobfuscation the main script code is revealed.

Inside the main JScript code are encrypted PowerShell scripts as well as a certificate. We detect these PowerShell code as Trojan:PowerShell/Certor.A.

Payload

Changes your PC without your consent

This threat drops the following files to make changes in your PC:

• ps.ps1 - makes sure the cert.der certificate is installed so it can monitor HTTPS content and traffic
• psf.ps1 - adds its certificate to Mozilla Firefox browser
• pstp.ps1 - installs the tor client, task scheduler, and proxifier

The main JScript changes the following registry key to modify your Internet Explorer’s proxy settings:
AutoConfigURL http://pysvonjm6a7idbkz.onion/rejtyahF.js?ip=<host ip addres>

We have checked the URL and found the following function residing in it:
Upon the script deobfuscation, the following readable function is revealed:

function FindProxyForURL(url,host){return"DIRECT"}

At this point the system is fully infected and the web traffic including HTTPS can be seen by the proxy server it assigned.

Analysis by Alden Pornasdoro and Vincent Tiu