Malware News New JavaScript Malware Shuts Down Your PC If You Terminate Its Process

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Researchers from Kahu Security have come across a new malware variant, coded in JavaScript, which hijacks your browser's homepage but will also shut down your computer if you detect the intrusion and attempt to terminate its process.

Variants of this malware have been spotted online since 2014, but not as aggressive in their behavior as this latest variation.

The malware arrives on user PCs as a malicious file attachment via email spam, and despite being a JavaScript file, it is not executed inside a browser, but via the Windows Script Host, the Windows built-in JavaScript executor.

Malicious actions disguised under heavy obfuscation
Looking at the malware's source code, regular users won't see anything more than a jumble of random characters.

Kahu Security researchers say the script is obfuscated to hide its true payload, a series of operations that change underlying operating system settings. Besides obfuscation, the script also uses tricks like encoded characters, regex search, regex replace, unusual base conversions (script works with base33), and conditional statements.

Once the researchers managed to fight their way through all the entangled source code, they discovered that the script goes through the following steps:

1) Creates a new folder in the AppDataRoaming directory and hides it using a new registry key

1) Copies the legitimate Windows wscript.exe application inside this folder and gives it a random name

3) Copies itself inside this folder and creates a shortcut to itself, which it names "Start" and places in the "Startup" folder, also accessible via the Windows Start Menu

4) Assigns a fake folder icon to the Start shortcut in order to trick users into thinking it's a folder and not a file

5) The rest of the script's code checks for an Internet connection by trying to access Microsoft, Google, or Bing.

6) Sends telemetry data to urchintelemetry[.]com and downloads and runs an encrypted file from 95.153.31[.]22

7) The encrypted file is another JS script that sets the homepage of Chrome, Firefox and IE to login.hhtxnet[.]com, which at the time of writing redirects users to another site: portalne[.]ws

8) This last script uses WMI (Windows Management Instrumentation) to check for security-related software

9) If the script finds security-related software, it terminates execution with a fake error message

10) If users spot the wscript.exe process in their task manager and try to stop this process, the script executes a CLI command that immediately shuts down their computer

11) When the user restarts his PC, because of the "Start" script in the Startup menu, the malicious JS malware starts operating all over again

"If you end up with this script on your computer, you can easily get rid of it by restarting in Safe Mode (or logging into another account) then removing the startup link and roaming folder," Darryl, Kahu Security expert writes. "If you wish to analyze the script while it’s running then simply rename your security tool to something benign."
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the share :)

Disable Windows Script Hose (wscript.exe) and command line script host (cscript.exe).

This keeps coming up over-and-over...
+∞

A lot of ransomware or other malware are downloaded and run by obfuscated scripts (very easy to make/modify to be "zero-days" ).
=> some of the files downloaded using these scripts can also be obfuscated files, not to be detected when downloaded, and modified after (see my analysis posts, in particular about nemucod samples)
=> some of the malware (exe, doc, etc...) are hard-coded in the script, on a obfuscated string , and data prepared and put in a fresh created file, and run.

Without the "help" of wscript.exe or cscript.exe, a very big part of infections could have been avoided...

An error in the explanation article : researchers say
And focus on this part first:
(5.0+":w\x88ECZ~\x89D&5Fr"['charCodeAt']
(9)*932840649)


=> ":w\x88ECZ~\x89D&5Fr"
=> ":wêECZ~ëD&5Fr"

(9) => 0,1,2,3,4,5,6,7,8,9 => 10th char : "&" => code : 38 => ok

This becomes:

5 + 38 * 932840649 = 35447944667 => ok

Then we look at this part:
("*t3\x856<Ajl\x87OfF"['charCodeAt'](
2)*0+33.0)

=> "*t3\x856<Ajl\x87OfF"
=> "*t3..........."

(2) => 0,1,2 => 3rd char : "3" => code : 51 (not 116 => "t")

116 * 0 + 33 = 33 => in reality : 51 * 0 + 33 = 33

It doesn't change anything here, because of the * 0 part,
but I wanted to share it with you :)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top