Since security researchers have shared information about web proxy configuration in operating systems and browsers can be misused to steal user data, hackers have figured out how.
A team of Microsoft Malware researchers spotted, as well as analyzed a new attack that utilizes Word documents with malicious code, with no need to install traditional malware. It configures browsers to use a web proxy controlled by the hackers themselves.
The hackers are also using this to install a self-signed root certificate on the victim’s computer so that they can peek on encrypted HTTPS traffic as it passes through the servers that are under their control.
From there, the code is obfuscated, with its purpose being to dro and execute several PowerShell scripts. This is a scripting environment built into Windows and allows automation of administrative tasks.
One of the scripts will deploy the root certificate, and will later be used for spying on HTTPS traffic. Another script will add the same certificate to the victims Firefox browser. This happens because Mozilla uses a different certificate store from Windows.
A third script installs a client that will allow the computer to connect to Tor. This happens because the hackers are using a .onion address to host the proxy configuration file. The systems settings are modified in the registry to go to the .onion, allowing the hackers to change proxy servers in the future with ease when the original is taken down.
“At this point the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned. This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information or web credentials could be stolen remotely, without user awareness,” researchers at Microsoft said.
Recently this month at DEF CON and the Back Hat Security Conference researchers revieled how a man in the middle attack can misuse the web proxy auto discovery protocol. They remotely hijacked people’s online accounts and stole their information; even when those devices used a VPN and encrypted HTTPS.
If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.