Avatar

Proxy auto-config or PAC files are commonly used by IT departments to update browser settings so that internet traffic passes through the corporate web gateway. The ability to redirect web traffic to malicious proxy servers is particularly attractive for malicious actors since it gives them a method of intercepting and modifying traffic to and from websites from which they can gain financially.

Malicious PAC files have been described since 2005 [1], but this obfuscated example contains a timely festive message. The Portuguese phrase for “Happy Christmas”, “Feliz Natal” is used to encode the IP address of the malicious proxy, 199.188.72.87.

feliz_natal

The obfuscated strings contain references to a large set of international and Brazilian web sites ranging from hotmail.com and americanexpress.com to banconordests.gov.br and paypal.com.br. When downloaded the PAC file modifies the browser settings to redirect any request to one of the listed domains to the specified proxy server, 199.188.72.87.

The malicious file named raio.pac, md5 d7b1a0fe59a2dda2fef0bf491cd0968a, is hosted at escoladesampa2divisao.com/luz/raio.pac. However, the PAC file itself does not describe what happens when a victim connects to the proxy while trying to access one of the redirected domains. The proxy may act to impersonate the requested website, or may conduct a man-in-the-middle attack to intercept communications between the victim and the intended website. Given that the majority of the domains listed in the file are those of financial organisations, it’s likely that the individuals behind this attack are seeking to gain access to financial details.

Not all malware is sophisticated. Relatively simple approaches such as the use of PAC files to redirect or intercept web requests are still being used by malicious actors. Network filtering solutions such as the WSA appliance based or the cloud based CWS can block web connections to malicious proxy servers to prevent information loss of information and the facilitation of unauthorised access to financial services.

References.
1. “Malicious PAC script can escalate privilege”, https://bugzilla.mozilla.org/show_bug.cgi?id=321101



Authors

Martin Lee

EMEA Lead, Strategic Planning & Communications

Cisco Talos