Jump to content

hshipmenttracker.co/


Dave W

Recommended Posts

Appears this is another browser hijacker that redirects to http://shipmenttracker.co which is malicious. Detailed analysis on Joe Sandbox here: https://www.joesandbox.com/analysis/138635/0/html .

Crud like this gets on your device by downloading freebie software and the like from non-vetted web sites. Another source is downloading cracked software.

You can try MalwareBytes free version or AdwCleaner, another free MBAM product, and see if they can get rid of it. Otherwise, it has to be manually removed starting with uninstalling what crud-ware that installed it in the first place. Then removing any browser extension/s it created; resetting the browser to default values; removing any other residual crud it created, etc., etc.. You can also ask for removal help at web sites such as malwaretips.com and bleepingcomputer.com

Link to comment
Share on other sites

Yeah, list programmes according to date of installation and look for the ones you don't recognise that roughly correlate with when malicious activity began then use steps above

Link to comment
Share on other sites

I will also add this situation needs to be addressed immediately since this "puppy" is not serving up adware and the like. But rather ransomware. Also based on the Joe Sandbox analysis screen shots, the web site involved is phishing the user into thinking he is actually uninstalling a browser extension whereas the reverse is actually happening.

Refer to this article I posted a while back: https://forum.eset.com/topic/22398-pirated-software-is-all-fun-and-games-until-your-data’s-stolen/ .

Edited by itman
Link to comment
Share on other sites

Reviewing the Joe Sandbox analysis again, the attack starts by opening a disguised .jpeg file executable, script, whatever. So assume that was delivered possibly via an e-mail attachment or embedded in the document and either opened by the using via phishing method, link, or macro.

Opening the .jpeg file causes the default browser to open if not so already and connect to the the malicious URL , https://shipmenttracker.co/  via redirection from  https://hshipmenttracker.co/ embedded in the .jpeg file    .

Another possibility is that this Shipment Tracker software shown in the Joe Sandbox analysis screen shots might even be a Google store app or the like. In any case, something like this would have lead the user to believe he was responding to a legit app installation.

Edited by itman
Link to comment
Share on other sites

Found the "bad guy" which is located at https://shipmenttracker.co/ . The minute you click on the Continue button, you are dead meat:

Shipment_Tracker.thumb.png.25b4e90ab637c7744dc6d776fe9ce725.png

It is also possible that this Shipment Tracker is legit software and that the attacker has hijacked via https://hshipmenttracker.co/ the use of the web site. He forwards  the above web page plus the licensing agreement web pages. Then starts his malicious interception thereafter. Don't believe this is the case since I can't find it in Google store.

-EDIT- One more important clarifying detail. It appears this bugger modifies its behavior depending on what browser is being used. In the Joe Sandbox analysis, IE11 was being used and the user was being asked to install a Chrome based extension in IE11. If that doesn't raise a red flag, I don't know what does. FYI - it is manually possible to install any extension in IE11.

Note that IE11 in default configuration does not run at AppContainer Integrity level. That has to be manually configured via its Advanced Settings option. 

Edited by itman
Link to comment
Share on other sites

A few final comments:

1. Never ever install a browser extension/add-on from a web site request. Always install the extension from the Store associated with that particular browser.

2. Never ever absolutely assume that a browser Store extension/add-on is 100% safe. Google notoriously and Firefox to a lesser extent do not test their Store extensions for malware prior to being placed in the Store. Apps are usually removed only after someone has discovered one is malicious or potentially unwanted status.

3. Configure your browser such that extensions/add-on's are not automatically added. In other words, you must manually allow the request.

4. AV solutions are as a rule are quite poor in detecting browser extension/add-on malware. This is because the app is not a stand-alone executable but running as a processing extension to the browser.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...