Jump to content

Archived

This topic is now archived and is closed to further replies.

simplicissimus

Malware on the website "Börse Stuttgart"

Recommended Posts

Hello,

since yesterday I get a warning (JS/Packed.Agent.D) when I visit the website: hxxps://www.boerse-stuttgart.de/de-de/produkte/indizes/db2ke7-db-dax-indikation

Quote

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Zeit">15.01.2020 22:55:07</COLUMN>
      <COLUMN NAME="Scanner">Echtzeit-Dateischutz</COLUMN>
      <COLUMN NAME="Objekttyp">Datei</COLUMN>
      <COLUMN NAME="Objekt">D:\Mozilla\Firefox\Profiles\xxxxxx.default\cache2\entries\55106E963414B545963703858BF6A8B91292E438</COLUMN>
      <COLUMN NAME="Erkennung">JS/Packed.Agent.D verdächtige Datei</COLUMN>
      <COLUMN NAME="Aktion">Gesäubert durch Löschen</COLUMN>
      <COLUMN NAME="Benutzer">xxxxxx</COLUMN>
      <COLUMN NAME="Information">Ereignis beim Erstellen einer neuen Datei durch die Anwendung: C:\Program Files\Mozilla Firefox\firefox.exe (3B75F26A7393E722D698450CCF03E673C3F8224F).</COLUMN>
      <COLUMN NAME="Hash">424AB718072E1CA14523563CB2EDFF658560E433</COLUMN>
      <COLUMN NAME="Zuerst hier gesehen">15.01.2020 22:55:06</COLUMN>
    </RECORD>
 </LOG>
</ESET>

Is this an false positive or has the page of this Stock exchange been hacked?

Share this post


Link to post
Share on other sites

I prefer to keep it blocked until you get a reply from ESET Staff , but here what Packed Agent can do

Trojan-Downloader:W32/Agent.D is typically found on certain malicious sites. When activated, it downloads an EXE file from a website and saves it into the root directory of the C drive. The downloaded file is then run.

I've scanned the url in virustotal and I didn't receive anything , but I will see other websites

Can you make the link you have posted from https to hxxps so it will be unclickable , so if it's really infected it won't infect someone who will click by mistake.

Any.run and VirusTotal and Hybrid-Analysis has found nothing.

But one test with Firefox in Any.run has some suspicious activity , it could be false positive :
https://app.any.run/tasks/7f3b3ef4-9384-4276-8ed5-34412ff7875d/

Share this post


Link to post
Share on other sites

Quttera flags it as potentially suspicious: https://quttera.com/detailed_report/www.boerse-stuttgart.de

Quote

/assets/statics/chartiq.js?v=637110457080000000

Severity:
Potentially Suspicious
Reason:
Detected procedure that is commonly used in suspicious activity.
Details:
Too low entropy detected in string [[' ())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))']] of length 100 which may point to obfuscation or shellcode.
Threat dump:
Threat dump MD5:
674FEB7593D13ECD11CB235265E0DED3
File size[byte]:
1396190
File type:
ASCII
Page/File MD5:
E3C2CFE36CFC9030463C0E546B7BADD2
Scan duration[sec]:
104.968

 

 
Since Eset detected a packed malicious JavaScript, it appears its detection is correct.

Share this post


Link to post
Share on other sites

Also any.run detected malicious activity while using Firefox , but didn't when using Internet Explorer and Firefox that's why I got confused.

Share this post


Link to post
Share on other sites
29 minutes ago, Rami said:

Also any.run detected malicious activity while using Firefox , but didn't when using Internet Explorer and Firefox that's why I got confused.

Assuming you're running IE11 in AppContainer, it would block any thing from running outside of it. Also, IE11 has built-in protection against cross-scripting attacks.

Share this post


Link to post
Share on other sites
19 minutes ago, itman said:

Assuming you're running IE11 in AppContainer, it would block any thing from running outside of it. Also, IE11 has built-in protection against cross-scripting attacks.

Oh my old friend IE11 is doing good.

Share this post


Link to post
Share on other sites
18 minutes ago, Rami said:

Oh my old friend IE11 is doing good.

Not really.

Microsoft considers it "abandonware" and is not really providing security enhancements to it anymore. It will patch known security vulnerabilities and that's about it. Ditto for third party sources that have also written it off.

I fully expect MS to "pull the plug" on it in the near future since Win 7 is no longer supported. Definitely this will occur when Win 8.1 hits end of life.

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

Not really.

Microsoft considers it "abandonware" and is not really providing security enhancements to it anymore. It will patch known security vulnerabilities and that's about it. Ditto for third party sources that have also written it off.

I fully expect MS to "pull the plug" on it in the near future since Win 7 is no longer supported. Definitely this will occur when Win 8.1 hits end of life.

I still wonder why it's included instead of Edge with servers like 2019 and 2016

But IE is used for example with a software like FortiVPN Client,  which will use and take settings from IE , I don't know why , but without it , the software will not work.

I don't use IE since Windows XP days.

Share this post


Link to post
Share on other sites
7 minutes ago, Rami said:

I still wonder why it's included instead of Edge with servers like 2019 and 2016

But IE is used for example with a software like FortiVPN Client,  which will use and take settings from IE , I don't know why , but without it , the software will not work.

According to this: https://azurementor.wordpress.com/2019/03/21/how-to-fix-forticlient-vpn-connection-issue-on-windows-server-2019-azure-vm/ it is only used in VM environment.

Share this post


Link to post
Share on other sites

Hello,

after some research I have more and more the assumption that the responsible file (chartiq.js) is a false positive:
hxxps://www.boerse-stuttgart.de/assets/statics/chartiq.js?v=637110457080000000

It would certainly be a good idea if someone from ESET could check this.
Thanks in advance.

Share this post


Link to post
Share on other sites
13 minutes ago, simplicissimus said:

after some research I have more and more the assumption that the responsible file (chartiq.js) is a false positive:
hxxps://www.boerse-stuttgart.de/assets/statics/chartiq.js?v=637110457080000000

Contact the web site owner and tell them to remove the obfuscated/suspect hidden code in the script. As it stands presently, Eset has no way of determining if what is hidden is malicious or not.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...