Jump to content

hxxp://survey-smiles.com blocked but not cleaned


Recommended Posts

Hi. I created in January 2022 a topic similar to this but due to several reasons i did not respond to Administrator invitation to register and send log generated by Eset Log Collector 

I originally asked:

I got every day a lot of times notification that  "hxxp://survey-smiles.com" has been blocked.
I run deep scan of system and disk but nothing found... I have a Eset Endpoint Antivirus 8.1.2037.2  9.0.2046.0 licence.

Is there a way to solve this problem?  

I can't attach log report 'cause it' 140 MB also if i i choose only last 5 days for report.
Here a link to the file. I hope you will accept this solution:

hxxp://www.infocer.com/download.php?file=/test/eset.zip&passkey=4c506e1de2469c4a21a32584691521f1

Following is a screenshot of Eset application notifications.
Thank you in advance and i'm really sorry to repeat a post similar to the one i posted in January.

 

image.thumb.png.c3d5032114cc012bc9d43f995b81a6f6.png

 

Link to comment
Share on other sites

  • Administrators

Are you doing something specific when the url is blocked? Or is it blocked as soon as you launch a browser? Is it blocked even if you launch a browser without extensions? Even if you use browsers such as Opera or Vivaldi? Is the website blocked also on other devices in the network, if there are more of them?

Also I've noticed that LiveGrid probably isn't working. Please test it by downloading the CloudCar test file, it should be detected upon download as Suspicious object. Also I'd strongly recommend enabling the LiveGrid Feedback system for maximum protection.

Link to comment
Share on other sites

Eset original identified the domain as a scam:

Eset_Scam.thumb.png.a1d3eb10a195baf5860921d6846a41fb.png

https://www.welivesecurity.com/wp-content/uploads/2021/09/eset_threat_report_t22021.pdf

However, AlienVault.com now indicates the domain is performing coin mining activities: https://otx.alienvault.com/indicator/domain/survey-smiles.com and rates it malicious.

The fact the domain is being connected to via svchost.exe indicates that service has been installed to connect to this domain. It can be assumed this is to perform coin mining activities. The Win service performing this activity must be identified and deleted.

Link to comment
Share on other sites

Posted (edited)

Another possibility here is Emotet/Trickbot infection:

Quote

The malware then establishes persistence by creating a scheduled task at startup. The task will execute malware.exe which spawns svchost.exe to inject its code.

Once the victim’s environment has been staged, TrickBot fetches modules as DLLs from C&C servers as per the config file, and then reflectively injects them into the svchost.exe process. All DLLs export the same functions: Control, Release, FreeBuffer, and Start. TrickBot uses HTTP/HTTPS GET and POST requests to download modules and exfiltrate data to the C2 server.

After collection, the data is sent back to the C&C server using HTTP POST requests with customized Content-Disposition headers to identify the content of the data.

https://www.real-sec.com/2022/01/emotet-re-emerges-with-help-from-trickbot/

-EDIT- In regard to this possibility, open Process Explorer and look for svchost.exe running as a child process other than from services.exe; e.g.

process xyzabc.exe 

                       | ---------> svchost.exe.

If this is found, post a process explorer screen shot showing this relationship.

Edited by itman
Link to comment
Share on other sites

Quote

Are you doing something specific when the url is blocked? Or is it blocked as soon as you launch a browser? Is it blocked even if you launch a browser without extensions? Even if you use browsers such as Opera or Vivaldi? Is the website blocked also on other devices in the network, if there are more of them?

It happens often when i use browser (i use Edge and Chrome). I tried to disable extentions on Chrome but it still happens. I will try to uninstall all of them. No other devices on network are affected by this problem. 
I have to say that it happens also when browser is not open to be sincere...

 

Quote

Also I've noticed that LiveGrid probably isn't working. Please test it by downloading the CloudCar test file, it should be detected upon download as Suspicious object. Also I'd strongly recommend enabling the LiveGrid Feedback system for maximum protection.


I can't download CloudCar:
image.png.e15af8b47db59e834b403acc3ede491c.png

 

Now i'm going to have a look to LiveGrid.

 

As concerns: 

 

Quote

 

-EDIT- In regard to this possibility, open Process Explorer and look for svchost.exe running as a child process other than from services.exe; e.g.

process xyzabc.exe 

                       | ---------> svchost.exe.

If this is found, post a process explorer screen shot showing this relationship.

 

i have a lot of svchost.exe processes but none of them ar child of other procesess.. I will deep search in process explorer but's not easy .. so many processess..

 

Link to comment
Share on other sites

Posted (edited)

Here's a detailed analysis that I am fairly confident you are infected with: https://www.joesandbox.com/analysis/566870/0/html . The problem is it does not give any clues as to what the malware payload is that is performing the initial connection to survey-smiles.com. Once the payload makes this initial connection, it will start a bogus instance of chrome.exe which is used thereafter for malicious purposes.

Enough has been shown that it appears the initial malware payload is most likely a Win service that has been created and starts at Win startup time. Again, you will have to perform a detailed review of existing Win services on the infected device to identify the malicious service.

As far as examination of Win services, I suggest to use SysInternals Autoruns that can be downloaded here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . Configure it as I posted in this thread reply: https://forum.eset.com/topic/32186-two-strange-powershell-processes-maybe-coinminers/?do=findComment&comment=150268 . In your case, you will be reviewing in detail the "Services" section output.

 

Edited by itman
Link to comment
Share on other sites

1 hour ago, itman said:

Here's a detailed analysis that I am fairly confident you are infected with: https://www.joesandbox.com/analysis/566870/0/html . The problem is it does not give any clues as to what the malware payload is that is performing the initial connection to survey-smiles.com. Once the payload makes this initial connection, it will start a bogus instance of chrome.exe which is used thereafter for malicious purposes.

Enough has been shown that it appears the initial malware payload is most likely a Win service that has been created and starts at Win startup time. Again, you will have to perform a detailed review of existing Win services on the infected device to identify the malicious service.

As far as examination of Win services, I suggest to use SysInternals Autoruns that can be downloaded here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . Configure it as I posted in this thread reply: https://forum.eset.com/topic/32186-two-strange-powershell-processes-maybe-coinminers/?do=findComment&comment=150268 . In your case, you will be reviewing in detail the "Services" section output.

 

Thanks. Next week i will deeply scan my system. I will let you know what i will find. Thank you very much

Link to comment
Share on other sites

Posted (edited)

I took a second look at the Joe's Cloud Sandbox analysis and it yielded the following.

The very first thing Chrome does when started is check for updates:

Eset_Chrome.thumb.png.2e7d30413c1ac455e8ef5ec809825b2e.png

The problem is that "update2" is not the name of the legit Chrome update services. Those are named gupdate and gupdatem.

It appears that you have fell victim to one of the numerous fake Chrome update malware. These are usually spread through a phishing attack that redirects a user to a bogus Chrome update web page.

The problem here is these attacks range from just modification of Chrome and the creation of the bogus Chrome update service, to more extensive system modification and installation of additional malware.

I suggest you contact your in-country Eset tech support source for malware removal assistance.

 

Edited by itman
Link to comment
Share on other sites

Can't see something wrong from services list:

image.thumb.png.8e7486b357f86f6fe383a68bead0cb40.png

 

I just disabled this:

image.png.acf6bbf82b0c5bdca57b16d2a40ccbc4.png

 

and this:

image.png.82793feb746e07ef8dd5c4b50f966b8e.png

 

'cause they are too "anonymous"... 

I also deleted all my Chrome extension. Now i will have a look to notification .. i'm not se sure i have solved my issue
 

 

Link to comment
Share on other sites

On 5/27/2022 at 9:40 PM, itman said:

I took a second look at the Joe's Cloud Sandbox analysis and it yielded the following.

The very first thing Chrome does when started is check for updates:

Eset_Chrome.thumb.png.2e7d30413c1ac455e8ef5ec809825b2e.png

The problem is that "update2" is not the name of the legit Chrome update services. Those are named gupdate and gupdatem.

It appears that you have fell victim to one of the numerous fake Chrome update malware. These are usually spread through a phishing attack that redirects a user to a bogus Chrome update web page.

The problem here is these attacks range from just modification of Chrome and the creation of the bogus Chrome update service, to more extensive system modification and installation of additional malware.

I suggest you contact your in-country Eset tech support source for malware removal assistance.

 

Thanks for your analysis... I will do so (i will also uninstall chrome...)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...