Dave W 0 Posted February 22, 2020 Share Posted February 22, 2020 how does one get rid of this https://hshipmenttracker.co/ Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted February 22, 2020 Administrators Share Posted February 22, 2020 Does it open automatically in a browser or what is the problem with it? To me it looks legitimate and it's not blocked by ESET. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 22, 2020 Share Posted February 22, 2020 Appears this is another browser hijacker that redirects to http://shipmenttracker.co which is malicious. Detailed analysis on Joe Sandbox here: https://www.joesandbox.com/analysis/138635/0/html . Crud like this gets on your device by downloading freebie software and the like from non-vetted web sites. Another source is downloading cracked software. You can try MalwareBytes free version or AdwCleaner, another free MBAM product, and see if they can get rid of it. Otherwise, it has to be manually removed starting with uninstalling what crud-ware that installed it in the first place. Then removing any browser extension/s it created; resetting the browser to default values; removing any other residual crud it created, etc., etc.. You can also ask for removal help at web sites such as malwaretips.com and bleepingcomputer.com Link to comment Share on other sites More sharing options...
Agathon 0 Posted February 22, 2020 Share Posted February 22, 2020 Yeah, list programmes according to date of installation and look for the ones you don't recognise that roughly correlate with when malicious activity began then use steps above Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 22, 2020 Share Posted February 22, 2020 (edited) I will also add this situation needs to be addressed immediately since this "puppy" is not serving up adware and the like. But rather ransomware. Also based on the Joe Sandbox analysis screen shots, the web site involved is phishing the user into thinking he is actually uninstalling a browser extension whereas the reverse is actually happening. Refer to this article I posted a while back: https://forum.eset.com/topic/22398-pirated-software-is-all-fun-and-games-until-your-data’s-stolen/ . Edited February 22, 2020 by itman Agathon 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 23, 2020 Share Posted February 23, 2020 (edited) Reviewing the Joe Sandbox analysis again, the attack starts by opening a disguised .jpeg file executable, script, whatever. So assume that was delivered possibly via an e-mail attachment or embedded in the document and either opened by the using via phishing method, link, or macro. Opening the .jpeg file causes the default browser to open if not so already and connect to the the malicious URL , https://shipmenttracker.co/ via redirection from https://hshipmenttracker.co/ embedded in the .jpeg file . Another possibility is that this Shipment Tracker software shown in the Joe Sandbox analysis screen shots might even be a Google store app or the like. In any case, something like this would have lead the user to believe he was responding to a legit app installation. Edited February 23, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 23, 2020 Share Posted February 23, 2020 (edited) Found the "bad guy" which is located at https://shipmenttracker.co/ . The minute you click on the Continue button, you are dead meat: It is also possible that this Shipment Tracker is legit software and that the attacker has hijacked via https://hshipmenttracker.co/ the use of the web site. He forwards the above web page plus the licensing agreement web pages. Then starts his malicious interception thereafter. Don't believe this is the case since I can't find it in Google store. -EDIT- One more important clarifying detail. It appears this bugger modifies its behavior depending on what browser is being used. In the Joe Sandbox analysis, IE11 was being used and the user was being asked to install a Chrome based extension in IE11. If that doesn't raise a red flag, I don't know what does. FYI - it is manually possible to install any extension in IE11. Note that IE11 in default configuration does not run at AppContainer Integrity level. That has to be manually configured via its Advanced Settings option. Edited February 24, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 23, 2020 Share Posted February 23, 2020 (edited) A few final comments: 1. Never ever install a browser extension/add-on from a web site request. Always install the extension from the Store associated with that particular browser. 2. Never ever absolutely assume that a browser Store extension/add-on is 100% safe. Google notoriously and Firefox to a lesser extent do not test their Store extensions for malware prior to being placed in the Store. Apps are usually removed only after someone has discovered one is malicious or potentially unwanted status. 3. Configure your browser such that extensions/add-on's are not automatically added. In other words, you must manually allow the request. 4. AV solutions are as a rule are quite poor in detecting browser extension/add-on malware. This is because the app is not a stand-alone executable but running as a processing extension to the browser. Edited February 23, 2020 by itman Nightowl 1 Link to comment Share on other sites More sharing options...
Recommended Posts