Jump to content

Possibly malicious code not detected even by LiveGrid/LiveGuard: please check and advise?


Recommended Posts

On our ESET protect 9.1 installation (latest) we have recently add a LiveGuard license.

In any case, casually browsing around the LiveGrid logs it seems like a number of my users tried to visit

hxxps://eu.b2c.com/api/init-224mtm6aorewjg83k2h.js

This script is different on each access, containing obfuscating code. De-obfuscating the code reveals yet another layer of obfuscated javascript.

Now, according to livegrid all is well with this code. I've manually created a .js file with content corresponding to the URL above and it seems like liveguard also sees everything perfect with the code: https://d.edtd.eset.com/details?hash=AC75843E159AE2E64E8AEE7E47ED2DF932231126&key=1647271159477560934&lang=en_US&era_ver=9.1

Checking the result list, shouldn't this JS code when run trigger the "hidden code detection" in liveguard? Or the "fileless threat"?

Please advise. I've initiated full scans on the users' systems, but I do know on how to proceed from here...

 

Edited by carmik
Link to comment
Share on other sites

  • carmik changed the title to Possibly malicious code not detected even by LiveGrid/LiveGuard: please check and advise?
Posted (edited)

Thanks Marcos, just wanted to know whether this is something bad that I should act upon.

EDIT: Just curious though, any idea why the extra liveguard checks described in the OP are not performed at all?

Edited by carmik
Link to comment
Share on other sites

  • Administrators

Do you know by chance how you or your users happened to get to the said url with the script? E.g. from a specific website, application, etc.

Link to comment
Share on other sites

I don't have any such information sorry. All users exhibiting this belong to different agencies. The way I see it there is not a single non-malicious site that they all connect to...

We also receive a zillion of phishing/spear-phishing emails. In conjuction with my observation about that site I thought it might be malevolent somehow (ie user clicks a link in a phishing email and passes downloads a payload from eu.b2c.com).

Link to comment
Share on other sites

  • Administrators
1 hour ago, carmik said:

EDIT: Just curious though, any idea why the extra liveguard checks described in the OP are not performed at all?

I assume the JS is executed by a browser and not locally by wscript.exe which is why it's not submitted to LiveGuard.

Link to comment
Share on other sites

17 hours ago, Marcos said:

I assume the JS is executed by a browser and not locally by wscript.exe which is why it's not submitted to LiveGuard.

Isn't JS by default executed by the browser? How does chrome, firefox and the new new edge execute it?

Link to comment
Share on other sites

  • Administrators
16 minutes ago, carmik said:

Isn't JS by default executed by the browser? How does chrome, firefox and the new new edge execute it?

It is but JS malware spread as email attachment and opened by the user is executed via wscript.exe.

Link to comment
Share on other sites

Therefore, how is JS executed in the browser (a very common scenario for infection I presume) handled? Basically, are scripts in a browser passed on to LiveGuard for a check?

I presume that it would be very difficult to obtain a meaningful result though, since a browser-running script contains extra context (the browser it is running in, the web page it is running from etc) that can not be passed to liveguard for a meaningful sandbox simulation.

Link to comment
Share on other sites

  • Administrators

Scripts loaded by websites cannot be sent to LiveGuard. One thing is that they would not do anything in the cloud sandbox and another thing is that no website would load since virtually every website loads external javascript.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...