Microsoft warns for malware that changes proxy settings to eavesdrop on encrypted connections

Microsoft warns Office users for a new attack where cybercriminals try to modify proxy settings through a malicious Word document. By setting the proxy to a server owned by the attackers, they are able to monitor and manipulate the internet connection of a victim.

certor2_updated

It allows them to eavesdrop on the connection and intercept passwords or other sensitive information this way. Because the cybercriminals also install their own certificate they can even eavesdrop on encrypted traffic.

In order to modify the proxy settings the cybercriminals use the regular social engineer trick by sending an email with a malicious attachment. The attachment is a .docx Word document that contains an embedded OLE object. In this case that is a script that is added to text. As soon as users click on the object they are asked whether they want to run the script. If they choose to run it, the script is able to install malware on the computer or perform other actions on the computer.

In this case, the script modifies the proxy settings in the Windows Register and installs a certificate that allows the attackers to eavesdrop on encrypted traffic. Also for Firefox a certificate is installed as this browser doesn’t use the proxy settings of the Windows Register but its own system.

Microsoft advises once again to only open messages from trusted persons and websites. The company also provides a registry hack that prevents the execution of OLE objects in documents.