Omar_infocersrl 0 Posted May 26, 2022 Share Posted May 26, 2022 Hi. I created in January 2022 a topic similar to this but due to several reasons i did not respond to Administrator invitation to register and send log generated by Eset Log Collector I originally asked: I got every day a lot of times notification that "hxxp://survey-smiles.com" has been blocked.I run deep scan of system and disk but nothing found... I have a Eset Endpoint Antivirus 8.1.2037.2 9.0.2046.0 licence.Is there a way to solve this problem? I can't attach log report 'cause it' 140 MB also if i i choose only last 5 days for report. Here a link to the file. I hope you will accept this solution: hxxp://www.infocer.com/download.php?file=/test/eset.zip&passkey=4c506e1de2469c4a21a32584691521f1 Following is a screenshot of Eset application notifications. Thank you in advance and i'm really sorry to repeat a post similar to the one i posted in January. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 26, 2022 Administrators Share Posted May 26, 2022 Are you doing something specific when the url is blocked? Or is it blocked as soon as you launch a browser? Is it blocked even if you launch a browser without extensions? Even if you use browsers such as Opera or Vivaldi? Is the website blocked also on other devices in the network, if there are more of them? Also I've noticed that LiveGrid probably isn't working. Please test it by downloading the CloudCar test file, it should be detected upon download as Suspicious object. Also I'd strongly recommend enabling the LiveGrid Feedback system for maximum protection. Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 26, 2022 Share Posted May 26, 2022 Eset original identified the domain as a scam: https://www.welivesecurity.com/wp-content/uploads/2021/09/eset_threat_report_t22021.pdf However, AlienVault.com now indicates the domain is performing coin mining activities: https://otx.alienvault.com/indicator/domain/survey-smiles.com and rates it malicious. The fact the domain is being connected to via svchost.exe indicates that service has been installed to connect to this domain. It can be assumed this is to perform coin mining activities. The Win service performing this activity must be identified and deleted. Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 26, 2022 Share Posted May 26, 2022 (edited) Another possibility here is Emotet/Trickbot infection: Quote The malware then establishes persistence by creating a scheduled task at startup. The task will execute malware.exe which spawns svchost.exe to inject its code. Once the victim’s environment has been staged, TrickBot fetches modules as DLLs from C&C servers as per the config file, and then reflectively injects them into the svchost.exe process. All DLLs export the same functions: Control, Release, FreeBuffer, and Start. TrickBot uses HTTP/HTTPS GET and POST requests to download modules and exfiltrate data to the C2 server. After collection, the data is sent back to the C&C server using HTTP POST requests with customized Content-Disposition headers to identify the content of the data. https://www.real-sec.com/2022/01/emotet-re-emerges-with-help-from-trickbot/ -EDIT- In regard to this possibility, open Process Explorer and look for svchost.exe running as a child process other than from services.exe; e.g. process xyzabc.exe | ---------> svchost.exe. If this is found, post a process explorer screen shot showing this relationship. Edited May 26, 2022 by itman Link to comment Share on other sites More sharing options...
Omar_infocersrl 0 Posted May 27, 2022 Author Share Posted May 27, 2022 Quote Are you doing something specific when the url is blocked? Or is it blocked as soon as you launch a browser? Is it blocked even if you launch a browser without extensions? Even if you use browsers such as Opera or Vivaldi? Is the website blocked also on other devices in the network, if there are more of them? It happens often when i use browser (i use Edge and Chrome). I tried to disable extentions on Chrome but it still happens. I will try to uninstall all of them. No other devices on network are affected by this problem. I have to say that it happens also when browser is not open to be sincere... Quote Also I've noticed that LiveGrid probably isn't working. Please test it by downloading the CloudCar test file, it should be detected upon download as Suspicious object. Also I'd strongly recommend enabling the LiveGrid Feedback system for maximum protection. I can't download CloudCar: Now i'm going to have a look to LiveGrid. As concerns: Quote -EDIT- In regard to this possibility, open Process Explorer and look for svchost.exe running as a child process other than from services.exe; e.g. process xyzabc.exe | ---------> svchost.exe. If this is found, post a process explorer screen shot showing this relationship. i have a lot of svchost.exe processes but none of them ar child of other procesess.. I will deep search in process explorer but's not easy .. so many processess.. Link to comment Share on other sites More sharing options...
Omar_infocersrl 0 Posted May 27, 2022 Author Share Posted May 27, 2022 Cloudcar has been blocked by Eset: Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 27, 2022 Share Posted May 27, 2022 (edited) Here's a detailed analysis that I am fairly confident you are infected with: https://www.joesandbox.com/analysis/566870/0/html . The problem is it does not give any clues as to what the malware payload is that is performing the initial connection to survey-smiles.com. Once the payload makes this initial connection, it will start a bogus instance of chrome.exe which is used thereafter for malicious purposes. Enough has been shown that it appears the initial malware payload is most likely a Win service that has been created and starts at Win startup time. Again, you will have to perform a detailed review of existing Win services on the infected device to identify the malicious service. As far as examination of Win services, I suggest to use SysInternals Autoruns that can be downloaded here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . Configure it as I posted in this thread reply: https://forum.eset.com/topic/32186-two-strange-powershell-processes-maybe-coinminers/?do=findComment&comment=150268 . In your case, you will be reviewing in detail the "Services" section output. Edited May 27, 2022 by itman Link to comment Share on other sites More sharing options...
Omar_infocersrl 0 Posted May 27, 2022 Author Share Posted May 27, 2022 1 hour ago, itman said: Here's a detailed analysis that I am fairly confident you are infected with: https://www.joesandbox.com/analysis/566870/0/html . The problem is it does not give any clues as to what the malware payload is that is performing the initial connection to survey-smiles.com. Once the payload makes this initial connection, it will start a bogus instance of chrome.exe which is used thereafter for malicious purposes. Enough has been shown that it appears the initial malware payload is most likely a Win service that has been created and starts at Win startup time. Again, you will have to perform a detailed review of existing Win services on the infected device to identify the malicious service. As far as examination of Win services, I suggest to use SysInternals Autoruns that can be downloaded here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . Configure it as I posted in this thread reply: https://forum.eset.com/topic/32186-two-strange-powershell-processes-maybe-coinminers/?do=findComment&comment=150268 . In your case, you will be reviewing in detail the "Services" section output. Thanks. Next week i will deeply scan my system. I will let you know what i will find. Thank you very much Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 27, 2022 Share Posted May 27, 2022 (edited) I took a second look at the Joe's Cloud Sandbox analysis and it yielded the following. The very first thing Chrome does when started is check for updates: The problem is that "update2" is not the name of the legit Chrome update services. Those are named gupdate and gupdatem. It appears that you have fell victim to one of the numerous fake Chrome update malware. These are usually spread through a phishing attack that redirects a user to a bogus Chrome update web page. The problem here is these attacks range from just modification of Chrome and the creation of the bogus Chrome update service, to more extensive system modification and installation of additional malware. I suggest you contact your in-country Eset tech support source for malware removal assistance. Edited May 27, 2022 by itman Link to comment Share on other sites More sharing options...
Omar_infocersrl 0 Posted May 30, 2022 Author Share Posted May 30, 2022 Can't see something wrong from services list: I just disabled this: and this: 'cause they are too "anonymous"... I also deleted all my Chrome extension. Now i will have a look to notification .. i'm not se sure i have solved my issue Link to comment Share on other sites More sharing options...
Omar_infocersrl 0 Posted May 31, 2022 Author Share Posted May 31, 2022 On 5/27/2022 at 9:40 PM, itman said: I took a second look at the Joe's Cloud Sandbox analysis and it yielded the following. The very first thing Chrome does when started is check for updates: The problem is that "update2" is not the name of the legit Chrome update services. Those are named gupdate and gupdatem. It appears that you have fell victim to one of the numerous fake Chrome update malware. These are usually spread through a phishing attack that redirects a user to a bogus Chrome update web page. The problem here is these attacks range from just modification of Chrome and the creation of the bogus Chrome update service, to more extensive system modification and installation of additional malware. I suggest you contact your in-country Eset tech support source for malware removal assistance. Thanks for your analysis... I will do so (i will also uninstall chrome...) Link to comment Share on other sites More sharing options...
Recommended Posts