Possibly malicious code not detected even by LiveGrid/LiveGuard: please check and advise?

[carmik 0]

On our ESET protect 9.1 installation (latest) we have recently add a LiveGuard license.

In any case, casually browsing around the LiveGrid logs it seems like a number of my users tried to visit

hxxps://eu.b2c.com/api/init-224mtm6aorewjg83k2h.js This script is different on each access, containing obfuscating code. De-obfuscating the code reveals yet another layer of obfuscated javascript. Now, according to livegrid all is well with this code. I've manually created a .js file with content corresponding to the URL above and it seems like liveguard also sees everything perfect with the code: https://d.edtd.eset.com/details?hash=AC75843E159AE2E64E8AEE7E47ED2DF932231126&key=1647271159477560934&lang=en_US&era_ver=9.1 Checking the result list, shouldn't this JS code when run trigger the "hidden code detection" in liveguard? Or the "fileless threat"? Please advise. I've initiated full scans on the users' systems, but I do know on how to proceed from here...

 

Edited August 25, 2022 by carmik

[Marcos 5,736]

Appears to be legit redirector. We're not going to add a detection either.

[carmik 0]

Thanks Marcos, just wanted to know whether this is something bad that I should act upon.

EDIT: Just curious though, any idea why the extra liveguard checks described in the OP are not performed at all?

Edited August 25, 2022 by carmik

[Marcos 5,736]

Do you know by chance how you or your users happened to get to the said url with the script? E.g. from a specific website, application, etc.

[carmik 0]

I don't have any such information sorry. All users exhibiting this belong to different agencies. The way I see it there is not a single non-malicious site that they all connect to...

We also receive a zillion of phishing/spear-phishing emails. In conjuction with my observation about that site I thought it might be malevolent somehow (ie user clicks a link in a phishing email and passes downloads a payload from eu.b2c.com).

[Marcos 5,736]

1 hour ago, carmik said:

EDIT: Just curious though, any idea why the extra liveguard checks described in the OP are not performed at all?

I assume the JS is executed by a browser and not locally by wscript.exe which is why it's not submitted to LiveGuard.

[carmik 0]

17 hours ago, Marcos said:

I assume the JS is executed by a browser and not locally by wscript.exe which is why it's not submitted to LiveGuard.

Isn't JS by default executed by the browser? How does chrome, firefox and the new new edge execute it?

[Marcos 5,736]

16 minutes ago, carmik said:

Isn't JS by default executed by the browser? How does chrome, firefox and the new new edge execute it?

It is but JS malware spread as email attachment and opened by the user is executed via wscript.exe.

[carmik 0]

Therefore, how is JS executed in the browser (a very common scenario for infection I presume) handled? Basically, are scripts in a browser passed on to LiveGuard for a check?

I presume that it would be very difficult to obtain a meaningful result though, since a browser-running script contains extra context (the browser it is running in, the web page it is running from etc) that can not be passed to liveguard for a meaningful sandbox simulation.

[Marcos 5,736]

Scripts loaded by websites cannot be sent to LiveGuard. One thing is that they would not do anything in the cloud sandbox and another thing is that no website would load since virtually every website loads external javascript.

[carmik 0]

Just as I thought. Thank you for your detailed clarifications.