It is currently 24-09-2017 15:11

Discovered Trojan is able to change the proxy settings and to intercept HTTPS traffic

Discovered Trojan is able to change the proxy settings and to intercept HTTPS traffic

by sigismund » 2016-08-30 18:24:28


Prednos modifies the proxy settings in the Windows registry and installs the certificate, allowing attackers to listen in on encrypted traffic.


Experts of the company Microsoft warned users about a new Trojan is able to modify the settings for the proxy server to "listen" to the encrypted traffic, steal credentials and other important information.

To distribute the malware, dubbed Trojan:JS/Certor.A. attackers use traditional techniques, in particular, spam. The emails include an attachment in a Microsoft Word document that contains an embedded OLE object, the opening of which runs Jscript. This script is disguised as a harmless file, inconspicuous to the user. Actually the code contains a few PowerShell scripts and own certificate, which is then used to track and intercept HTTPS traffic.

Once on the system, vredno modifies the proxy settings of Internet Explorer in the Windows registry and installs the Tor client, a task scheduler, a utility for tunneling through proxies and certificate, allowing attackers to listen in on encrypted traffic. In addition, the Trojan installs another certificate for Mozilla Firefox, since this browser uses its own proxy settings.
Then all traffic is redirected to attacker-controlled proxy server. As a result, they can remotely monitor, redirect or modify traffic and to steal the important data of the victim.
sigismund
moderators
Сообщений: 788
Депозит: 0 BTC

Rating: 5