Variants of this malware have been spotted online since 2014, but not as aggressive in their behavior as this latest variation.
Looking at the malware’s source code, regular users won’t see anything more than a jumble of random characters.
Kahu Security researchers say the script is obfuscated to hide its true payload, a series of operations that change underlying operating system settings. Besides obfuscation, the script also uses tricks like encoded characters, regex search, regex replace, unusual base conversions (script works with base33), and conditional statements.
Once the researchers managed to fight their way through all the entangled source code, they discovered that the script goes through the following steps:
1) Creates a new folder in the AppDataRoaming directory and hides it using a new registry key
1) Copies the legitimate Windows wscript.exe application inside this folder and gives it a random name
3) Copies itself inside this folder and creates a shortcut to itself, which it names “Start” and places in the “Startup” folder, also accessible via the Windows Start Menu
4) Assigns a fake folder icon to the Start shortcut in order to trick users into thinking it’s a folder and not a file
5) The rest of the script’s code checks for an Internet connection by trying to access Microsoft, Google, or Bing.
6) Sends telemetry data to urchintelemetry[.]com and downloads and runs an encrypted file from 95.153.31[.]22
7) The encrypted file is another JS script that sets the homepage of Chrome, Firefox and IE to login.hhtxnet[.]com, which at the time of writing redirects users to another site: portalne[.]ws
8) This last script uses WMI (Windows Management Instrumentation) to check for security-related software
9) If the script finds security-related software, it terminates execution with a fake error message
10) If users spot the wscript.exe process in their task manager and try to stop this process, the script executes a CLI command that immediately shuts down their computer
11) When the user restarts his PC, because of the “Start” script in the Startup menu, the malicious JS malware starts operating all over again
“If you end up with this script on your computer, you can easily get rid of it by restarting in Safe Mode (or logging into another account) then removing the startup link and roaming folder,” Darryl, Kahu Security expert writes. “If you wish to analyze the script while it’s running then simply rename your security tool to something benign.”