carmik 0 Posted August 25, 2022 Share Posted August 25, 2022 (edited) On our ESET protect 9.1 installation (latest) we have recently add a LiveGuard license. In any case, casually browsing around the LiveGrid logs it seems like a number of my users tried to visit hxxps://eu.b2c.com/api/init-224mtm6aorewjg83k2h.js This script is different on each access, containing obfuscating code. De-obfuscating the code reveals yet another layer of obfuscated javascript. Now, according to livegrid all is well with this code. I've manually created a .js file with content corresponding to the URL above and it seems like liveguard also sees everything perfect with the code: https://d.edtd.eset.com/details?hash=AC75843E159AE2E64E8AEE7E47ED2DF932231126&key=1647271159477560934&lang=en_US&era_ver=9.1 Checking the result list, shouldn't this JS code when run trigger the "hidden code detection" in liveguard? Or the "fileless threat"? Please advise. I've initiated full scans on the users' systems, but I do know on how to proceed from here... Edited August 25, 2022 by carmik Link to comment Share on other sites More sharing options...
Administrators Marcos 4,716 Posted August 25, 2022 Administrators Share Posted August 25, 2022 Appears to be legit redirector. We're not going to add a detection either. carmik 1 Link to comment Share on other sites More sharing options...
carmik 0 Posted August 25, 2022 Author Share Posted August 25, 2022 (edited) Thanks Marcos, just wanted to know whether this is something bad that I should act upon. EDIT: Just curious though, any idea why the extra liveguard checks described in the OP are not performed at all? Edited August 25, 2022 by carmik Link to comment Share on other sites More sharing options...
Administrators Marcos 4,716 Posted August 25, 2022 Administrators Share Posted August 25, 2022 Do you know by chance how you or your users happened to get to the said url with the script? E.g. from a specific website, application, etc. Link to comment Share on other sites More sharing options...
carmik 0 Posted August 25, 2022 Author Share Posted August 25, 2022 I don't have any such information sorry. All users exhibiting this belong to different agencies. The way I see it there is not a single non-malicious site that they all connect to... We also receive a zillion of phishing/spear-phishing emails. In conjuction with my observation about that site I thought it might be malevolent somehow (ie user clicks a link in a phishing email and passes downloads a payload from eu.b2c.com). Link to comment Share on other sites More sharing options...
Administrators Marcos 4,716 Posted August 25, 2022 Administrators Share Posted August 25, 2022 1 hour ago, carmik said: EDIT: Just curious though, any idea why the extra liveguard checks described in the OP are not performed at all? I assume the JS is executed by a browser and not locally by wscript.exe which is why it's not submitted to LiveGuard. Link to comment Share on other sites More sharing options...
carmik 0 Posted August 26, 2022 Author Share Posted August 26, 2022 17 hours ago, Marcos said: I assume the JS is executed by a browser and not locally by wscript.exe which is why it's not submitted to LiveGuard. Isn't JS by default executed by the browser? How does chrome, firefox and the new new edge execute it? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,716 Posted August 26, 2022 Administrators Share Posted August 26, 2022 16 minutes ago, carmik said: Isn't JS by default executed by the browser? How does chrome, firefox and the new new edge execute it? It is but JS malware spread as email attachment and opened by the user is executed via wscript.exe. Link to comment Share on other sites More sharing options...
carmik 0 Posted August 26, 2022 Author Share Posted August 26, 2022 Therefore, how is JS executed in the browser (a very common scenario for infection I presume) handled? Basically, are scripts in a browser passed on to LiveGuard for a check? I presume that it would be very difficult to obtain a meaningful result though, since a browser-running script contains extra context (the browser it is running in, the web page it is running from etc) that can not be passed to liveguard for a meaningful sandbox simulation. Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,716 Posted August 26, 2022 Administrators Solution Share Posted August 26, 2022 Scripts loaded by websites cannot be sent to LiveGuard. One thing is that they would not do anything in the cloud sandbox and another thing is that no website would load since virtually every website loads external javascript. Link to comment Share on other sites More sharing options...
carmik 0 Posted August 26, 2022 Author Share Posted August 26, 2022 Just as I thought. Thank you for your detailed clarifications. Link to comment Share on other sites More sharing options...
Recommended Posts