Newly Discovered Malware Shuts down the PC If the Process Is Terminated

Security Researchers from Kahu Security uncovered a new JavaScript malware that shuts down the computer if the dangerous process is terminated.

The New Malware Shuts down the PC If Its Process Is Terminated by the User

Security experts from Kahu Security discovered a new malware, programmed in JavaScript, that hijacks the victim browsers and shuts down the computer if the user attempts to terminate the process. This is the latest iteration of a series of malware variants that have been active since 2014. However the latest update has proved to be even more aggressive than previous samples.

The threat is delivered via spam email campaigns. The interesting thing is that the JavaScript code is not executed inside a browser, but by the Windows Script Host which is Windows’s built-in JavaScript executor. The script itself is obfuscated to hide the payload. The malware developers have also used encoded characters, regex modifications and conditional statements to further conceal the malware.

The behaviour of the threat has been identified to perform the following actions:

  1. Create a new folder in the AppDataRoaming location and hides it using a new registry key entry
  2. Copies the Windows wscript.exe application inside this folder and renames it with a randon name
  3. The malware copies itself to the folder and creates a shortcut to itself that is named “Start”. It is then plcaed in the “Startup” folder, which is also accesible via the Windows Start Menu
  4. The malware assigns a fake folder icon the “Start” shorcut to trick the user into thinking that it is a folder and not an actual file
  5. The code checks for an active Internet connection by polling the Microsoft, Google or Bing servers
  6. The malware sends telemetry information to urchintelemetry[.]com and then downloads and runs an encrypted file from 95.153.31[.]22
  7. The encrypted file contains another JS script which modifies the default home page of the Chrome, Firefox and Internet Explorer browsers to login.hhtxnet[.]com. This is a redirection page to portalne[.]ws
  8. The last script uses the Windows Management Instrumentation (WMI) to detect any security software
  9. The application terminates if any security measures are detected
  10. The malware shuts down the computer when the user attempts to stop the process by manipulating the task using the task manager
  11. When a user restart is initiated, the malware starts to execute itself again when the system is booted.


Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *