Jump to content

Malware on the website "Börse Stuttgart"


Recommended Posts

Hello,

since yesterday I get a warning (JS/Packed.Agent.D) when I visit the website: hxxps://www.boerse-stuttgart.de/de-de/produkte/indizes/db2ke7-db-dax-indikation

Quote

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Zeit">15.01.2020 22:55:07</COLUMN>
      <COLUMN NAME="Scanner">Echtzeit-Dateischutz</COLUMN>
      <COLUMN NAME="Objekttyp">Datei</COLUMN>
      <COLUMN NAME="Objekt">D:\Mozilla\Firefox\Profiles\xxxxxx.default\cache2\entries\55106E963414B545963703858BF6A8B91292E438</COLUMN>
      <COLUMN NAME="Erkennung">JS/Packed.Agent.D verdächtige Datei</COLUMN>
      <COLUMN NAME="Aktion">Gesäubert durch Löschen</COLUMN>
      <COLUMN NAME="Benutzer">xxxxxx</COLUMN>
      <COLUMN NAME="Information">Ereignis beim Erstellen einer neuen Datei durch die Anwendung: C:\Program Files\Mozilla Firefox\firefox.exe (3B75F26A7393E722D698450CCF03E673C3F8224F).</COLUMN>
      <COLUMN NAME="Hash">424AB718072E1CA14523563CB2EDFF658560E433</COLUMN>
      <COLUMN NAME="Zuerst hier gesehen">15.01.2020 22:55:06</COLUMN>
    </RECORD>
 </LOG>
</ESET>

Is this an false positive or has the page of this Stock exchange been hacked?

Edited by simplicissimus
Link to comment
Share on other sites

  • Most Valued Members

I prefer to keep it blocked until you get a reply from ESET Staff , but here what Packed Agent can do

Trojan-Downloader:W32/Agent.D is typically found on certain malicious sites. When activated, it downloads an EXE file from a website and saves it into the root directory of the C drive. The downloaded file is then run.

I've scanned the url in virustotal and I didn't receive anything , but I will see other websites

Can you make the link you have posted from https to hxxps so it will be unclickable , so if it's really infected it won't infect someone who will click by mistake.

Any.run and VirusTotal and Hybrid-Analysis has found nothing.

But one test with Firefox in Any.run has some suspicious activity , it could be false positive :
https://app.any.run/tasks/7f3b3ef4-9384-4276-8ed5-34412ff7875d/

Edited by Rami
Link to comment
Share on other sites

Quttera flags it as potentially suspicious: https://quttera.com/detailed_report/www.boerse-stuttgart.de

Quote

/assets/statics/chartiq.js?v=637110457080000000

Severity:
Potentially Suspicious
Reason:
Detected procedure that is commonly used in suspicious activity.
Details:
Too low entropy detected in string [[' ())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))']] of length 100 which may point to obfuscation or shellcode.
Threat dump:
Threat dump MD5:
674FEB7593D13ECD11CB235265E0DED3
File size[byte]:
1396190
File type:
ASCII
Page/File MD5:
E3C2CFE36CFC9030463C0E546B7BADD2
Scan duration[sec]:
104.968

 

 
Since Eset detected a packed malicious JavaScript, it appears its detection is correct.
Edited by itman
Link to comment
Share on other sites

  • Most Valued Members

Also any.run detected malicious activity while using Firefox , but didn't when using Internet Explorer and Firefox that's why I got confused.

Link to comment
Share on other sites

29 minutes ago, Rami said:

Also any.run detected malicious activity while using Firefox , but didn't when using Internet Explorer and Firefox that's why I got confused.

Assuming you're running IE11 in AppContainer, it would block any thing from running outside of it. Also, IE11 has built-in protection against cross-scripting attacks.

Link to comment
Share on other sites

  • Most Valued Members
19 minutes ago, itman said:

Assuming you're running IE11 in AppContainer, it would block any thing from running outside of it. Also, IE11 has built-in protection against cross-scripting attacks.

Oh my old friend IE11 is doing good.

Link to comment
Share on other sites

18 minutes ago, Rami said:

Oh my old friend IE11 is doing good.

Not really.

Microsoft considers it "abandonware" and is not really providing security enhancements to it anymore. It will patch known security vulnerabilities and that's about it. Ditto for third party sources that have also written it off.

I fully expect MS to "pull the plug" on it in the near future since Win 7 is no longer supported. Definitely this will occur when Win 8.1 hits end of life.

Link to comment
Share on other sites

  • Most Valued Members
1 minute ago, itman said:

Not really.

Microsoft considers it "abandonware" and is not really providing security enhancements to it anymore. It will patch known security vulnerabilities and that's about it. Ditto for third party sources that have also written it off.

I fully expect MS to "pull the plug" on it in the near future since Win 7 is no longer supported. Definitely this will occur when Win 8.1 hits end of life.

I still wonder why it's included instead of Edge with servers like 2019 and 2016

But IE is used for example with a software like FortiVPN Client,  which will use and take settings from IE , I don't know why , but without it , the software will not work.

I don't use IE since Windows XP days.

Edited by Rami
Link to comment
Share on other sites

7 minutes ago, Rami said:

I still wonder why it's included instead of Edge with servers like 2019 and 2016

But IE is used for example with a software like FortiVPN Client,  which will use and take settings from IE , I don't know why , but without it , the software will not work.

According to this: https://azurementor.wordpress.com/2019/03/21/how-to-fix-forticlient-vpn-connection-issue-on-windows-server-2019-azure-vm/ it is only used in VM environment.

Link to comment
Share on other sites

Hello,

after some research I have more and more the assumption that the responsible file (chartiq.js) is a false positive:
hxxps://www.boerse-stuttgart.de/assets/statics/chartiq.js?v=637110457080000000

It would certainly be a good idea if someone from ESET could check this.
Thanks in advance.

Link to comment
Share on other sites

13 minutes ago, simplicissimus said:

after some research I have more and more the assumption that the responsible file (chartiq.js) is a false positive:
hxxps://www.boerse-stuttgart.de/assets/statics/chartiq.js?v=637110457080000000

Contact the web site owner and tell them to remove the obfuscated/suspect hidden code in the script. As it stands presently, Eset has no way of determining if what is hidden is malicious or not.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...