User's information redirected to malicious proxy servers

UNAM - CERT received in recent days, a report about a malicious file that redirects the information of the infected users to a proxy server in order to read specific data and steal credentials from legitimate sites without the user noticing; for this reason, a research about the case was started.


Files with "PAC" (Proxy Auto-Config) extension, define whether or not Web browsers use a Proxy Server by using the function FinProxyForURL(url, host) of JavaScript. For each URL accessed, this function returns the access settings, either if the traffic passes through a Proxy or if is sent directly to the site you want to visit.


ThePAC file was obfuscated, malware authors often try to hide their true intentions so that victims do not suspect of malicious actions. Therefore, through reverse engineering, the file was de-obfuscated to obtain the following clear text:


-          At thebeginning of the file the variable "n" is declared, itcontains an array with the list of the sites the attacker is targeting.

-          In the following code there is a "for" cycle that goes through the list of target sites and replaces a part of the chain in order to reconstruct the sites to attack. Using this technique the malicious code may go unnoticed during scans of patterns of commonly attacked sites.


-          After that there are thecoding sequences of characters. For example, if the pattern “caixa” is in the list of sites defined by the attacker, the chain remains the same; if "hotmail" or "gmail" are found, “com” gets concatenated to themand finally, any other chain gets completed with “".


-         At the end of the code, the proxy that is going to be used when the victim visits a site that matches those defined by the attacker is specified. With return "DIRECT"; it is specified that any other address entered in the browser that is not in the list of target sites can be visited without going through the proxy.


When the victimmakes a request through their browser to an address from the list defined by the attacker, traffic is directed to the proxy server with the IP address 59.1XX.X.54 on port 80 and perhaps then it may get to the legitimate site.


The attack,in this case, is aimed at Brazilian banking sites, but it was also found that it was directed towards the gmail and hotmail sites.


Possible scenarios:


1) The victim enters an address of the attacker’s list on the browser:



When the informationpasses through the proxy server, the attacker could modify it, steal credentials, install itsown phishing site or simply avoid the redirection to the legitimate site.


We dida proof of concept with the Hotmail site, without accessing the malicious PAC file.



Subsequently, we proceeded to load the configuration file in Firefox and testing.




In the screenshot you can see that we have established the connection to the malicious site.



2)  The victim enters an address that your browser does not appear on the list of the attacker:



Addresses not listed in the malicious PAC file are reached directly without going through the proxy server.



When entering theIP address of the proxy server in the browser, some antivirus solutions send a security warning because the site is malicious.

Thengo to the site but redirects us to another gate was unlocked.



The IP address of the proxy server is located in India and when the analysis was drawn up, the site remained online even.