JS/Packed.Agent.Q found when visiting bank website. Very little info found about malware.

[LuisC 0]

Hello,

Starting about 4 days ago, while attempting to log into my bank, ESET started alerting me about JS/Packed.Agent.Q.  I am seeing the same alert from both Chrome and Firefox.   When I attempt to log into the bank using other computers (that also has ESET installed with the same policies), I don't see any alerts messages.  Thus, I have reason to believe my PC is infected with the JS/Packed.Agent.Q.  I've run MalwareBytes as well as full ESET scans, but neither is finding anything.

I've checked VirusRadar, but it doesn't have any mention (that I could find) of the above mentioned malware.

So, I have some questions:

1) Where can I get information about JS/Packed.Agent.Q?   I have found very little via Google in terms of locating and cleaning this.

2) Given ESET can't find anything, how do I go about removing it?

3) Should I open a support case to help get this resolved?

From the logs, it appears that upon logging in, JS/Packed.Agent.Q is attempting to access a JavaScript file on cdn.yodlee.com.

Below is the screenshot of the alert, along with the log entry.

Thank you in advance for any assistance/information someone can provide regarding this...especially around removing it.

 

Edited September 18, 2022 by LuisC
Correct one of the questions asked.

[Nightowl 202]

Your PC is safe , ESET has blocked a script that exist on the URL listed in the report , there is no threat inside your PC , just web-access protection has blocked a script that it saw suspicious

It could be false positive or a real threat , only ESET staff can know that , but for now most recommended is not to ignore the threat , especially since you are going for Banking stuff.

[Marcos 5,074]

You can create a detection exclusion as suggested here:

https://forum.eset.com/topic/33766-how-do-you-reset-website-access-from-google-chrome-to-cdnyodleecom-used-by-xero-accounting-to-access-banking-info-that-was-blocked-by-eset-nod32-antivirus-software/

[itman 1,659]

6 hours ago, LuisC said:

Starting about 4 days ago, while attempting to log into my bank, ESET started alerting me about JS/Packed.Agent.Q.  I am seeing the same alert from both Chrome and Firefox.   When I attempt to log into the bank using other computers (that also has ESET installed with the same policies), I don't see any alerts messages. 

Do you have XERO accounting software installed on the PC where Eset detects the malicious JavaScript? If so, the detection exclusion mentioned above is the appropriate solution.

[LuisC 0]

14 hours ago, itman said:

Do you have XERO accounting software installed on the PC where Eset detects the malicious JavaScript? If so, the detection exclusion mentioned above is the appropriate solution.

No, I do not use XERO.  In my searches, I did see another post about someone with XERO that was getting the same message.

[LuisC 0]

15 hours ago, Nightowl said:

Your PC is safe , ESET has blocked a script that exist on the URL listed in the report , there is no threat inside your PC , just web-access protection has blocked a script that it saw suspicious

It could be false positive or a real threat , only ESET staff can know that , but for now most recommended is not to ignore the threat , especially since you are going for Banking stuff.

I completely agree, but wanted to check here first.  I will open a support ticket with ESET regarding this so that it can be more closely looked at.  Thank you!

[Marcos 5,074]

Customer care won't help you, they can only suggest contacting samples[at]eset.com.

As I said, there's no need to worry. It's just a detection of a specific JS obfuscation method. It's not detected as a threat but as a suspicious application. We have already recommended adding a detection exclusion for the very same host (cdn.yodlee.com).

[LuisC 0]

Marcos,

Help me understand where my thinking is wrong here...  This is a sincere message request.

When other systems access this same bank, no "suspicious application" warnings are ever received/logged, only on my system.  So, that leads me to believe that the "suspicious application" is on my computer.  From the logs, it appears as though a connection is being initiated from my computer to retrieve a file from cdn.yodlee.com at the point I attempt to login, which is VERY concerning...especially given this is a financial institution.  This is not normal.  As obfuscation is a way to hide information, as well as a technique used by malware for delivery, this is concerning, especially given it's occurring right when my credentials are being supplied.

If, as you're suggesting, I create an exception for this alert, my understanding is that I will essentially be telling ESET that "this message is OK", and to just ignore it, which masks the problem.  I take that to mean that the download would now be permitted, which ESET is currently blocking.  In my mind, I don't want to "mask" the problem, I want to get rid of it.

I am happy to see that ESET blocked the connection of the download, but I view ESET as also being a tool/resource that should help me remove "suspicious applications" and viruses from my computer when they are found.  If the application can't do this on their own, which I can understand that no one application can be expected to catch/find everything, then I would hope that ESET would be there to assist where the application falls short.  After all, besides updates/upgrades, isn't that what I'm paying for when I purchased ESET?  I view just making me aware of an issue, but not helping me get rid of it, as not being a complete solution.

Thank you, and I look forward to your response.

Sincerely,

Luis

 

[notimportant 5]

5 hours ago, LuisC said:

So, that leads me to believe that the "suspicious application" is on my computer.  From the logs, it appears as though a connection is being initiated from my computer to retrieve a file

No, there is nothing suspicious in your computer. You can see the detection described in screenshot, that you uploaded here: A suspicious application was found when Firefox tried to access a website.

Detected object was file "initialized.js" located on that website. Connection attempt was terminated by ESET, so nothing was downloaded. 

[Marcos 5,074]

We'll adjust the detection a bit so that it's not triggered on certain bank sites.

[itman 1,659]

5 hours ago, LuisC said:

From the logs, it appears as though a connection is being initiated from my computer to retrieve a file from cdn.yodlee.com at the point I attempt to login, which is VERY concerning...especially given this is a financial institution. 

Refer to this: https://www.yodlee.com/company/clients-consumers .

I agree with your concern. I also would be concerned with any Eset detection alert while in B&PP mode.

One way to get to the bottom of this is contact your bank's tech support and ask them is they are deploying Envestnet/Yodlee software on their web site.

Edited September 19, 2022 by itman

[peteyt 393]

It is odd that it only catches it on one computer.

Have you checked the other computers log files to see if it is maybe being blocked without alerting you

[itman 1,659]

Since Eset's detection was for cdn.yodlee.com/fastlink/v3/initialize.js, here's some info on that: https://developer.yodlee.com/docs/getting-started-fastlink .

The standard script is not packed. This would indicate that the bank is most likely packing their custom script for security reasons perhaps. Or, the bank's web site/server has been hacked.

As to the question of why Eset only detects on one device the OP owns, this might be indicative of man-in-the-middle activity on the Internet connection from that device.

[itman 1,659]

As a test, I copied the above initialize.js from the yodlee.com web site and created my own .js script from it. Zip detection from Eset on the code. This indicates that the packed script Eset is detecting has a very high likelihood of being malicious. As such, I certainly would not create an Eset detection for it.

[itman 1,659]

Here's what may be going on:

Quote

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. This story is about how crooks increasingly are abusing third-party financial aggregation services like Mint, Plaid, Yodlee, YNAB and others to surveil and drain consumer accounts online.

Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. Most often, the attacker will use lists of email addresses and passwords stolen en masse from hacked sites and then try those same credentials to see if they permit online access to accounts at a range of banks.

From there, thieves can take the list of successful logins and feed them into apps that rely on application programming interfaces (API)s from one of several personal financial data aggregators which help users track their balances, budgets and spending across multiple banks.

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor. That’s according to Brian Costello, vice president of data strategy at Yodlee, one of the largest financial aggregator platforms.

Costello said while some banks have implemented processes which pass through multi-factor authentication (MFA) prompts when consumers wish to link aggregation services, many have not.

“Because we have become something of a known quantity with the banks, we’ve set up turning off MFA with many of them,” Costello said.  “Many of them are substituting coming from a Yodlee IP or agent as a factor because banks have historically been relying on our security posture to help them out.”

Such reconnaissance helps lay the groundwork for further attacks: If the thieves are able to access a bank account via an aggregator service or API, they can view the customer’s balance(s) and decide which customers are worthy of further targeting.

https://krebsonsecurity.com/2019/08/the-risk-of-weak-online-banking-passwords/#more-48391

The above article was written in 2019. Appears malware developers have found a new way to deploy the Yodlee API interface maliciously; perhaps via browser injection or the like.

Edited September 20, 2022 by itman

[itman 1,659]

One last comment.

Eset decided to set Banking & Payment Protection mode on for all supported browsers by default in recent versions. This in turn allows "safe" extensions/add-ons in the browser. I never agreed that this was a secure way to proceed.

I strongly suspect that there is a hacked browser extension/add-on that is the source for this malicious aggregator script.

Edited September 20, 2022 by itman

[LuisC 0]

8 hours ago, itman said:

One last comment.

Eset decided to set Banking & Payment Protection mode on for all supported browsers by default in recent versions. This in turn allows "safe" extensions/add-ons in the browser. I never agreed that this was a secure way to proceed.

I strongly suspect that there is a hacked browser extension/add-on that is the source for this malicious aggregator script.

Interesting, I wasn't aware of that change.   I would tend to agree with your thoughts about that not being a secure way to proceed.

That said, I wonder if I did a complete uninstall followed by deletion/purge of the install directory (including appdata), then a fresh install of the browsers, if that would help.  Thoughts?

[itman 1,659]

6 hours ago, LuisC said:

That said, I wonder if I did a complete uninstall followed by deletion/purge of the install directory (including appdata), then a fresh install of the browsers, if that would help.  Thoughts?

Disable the option to secure all browsers in Banking & Payment Protection settings.

If this doesn't stop the Eset JavaScript detection when you log on to your bank's web site, you will have to contact your bank's tech support. Ask them if they use the Yodlee API on their web site. If so, make them aware that Eset is detecting a suspicious script from that API usage.

Edited September 21, 2022 by itman

[LuisC 0]

4 hours ago, itman said:

Disable the option to secure all browsers in Banking & Payment Protection settings.

If this doesn't stop the Eset JavaScript detection when you log on to your bank's web site, you will have to contact your bank's tech support. Ask them if they use the Yodlee API on their web site. If so, make them aware that Eset is detecting a suspicious script from that API usage.

@itman, could you point me to where the "Banking & Payment Protection" settings are at?  I just looked for them, and couldn't find them.  

Also, I checked with the bank, and they said that their website does not use Yodlee.

Thank you!

[itman 1,659]

Refer to the below screen shot:

1. From the Eset GUI Setup screen, select Security tools.

2. Mouse click on the gear symbol to the right of Banking and Payment protection section. Then select "Configure."

3. Verify that "Secure all browsers" setting is disabled. If it is not, remove the checkmark by mouse clicking on it to disable it.

4. Click on OK tab setting on this screen and any subsequent screen to save your changes.

5. Repeat steps 1). through 3). to verify that Secure all browsers setting is disabled.

 

[itman 1,659]

BTW - below is the JavaScript code from https://cdn.yodlee.com/fastlink/v3/initialize.js. Eset detects nothing at all for this script code. There are also zero detection's for the code at VirusTotal: https://www.virustotal.com/gui/file/31937f1a6b02642bd3da602dd1ec4428616e710297ae3fe1cb27637d81d16c9b?nocache=1

This mean two things:

1. Eset has whitelisted the code.

2. Whatever script you are encountering upon access to your bank web site, does not contain the following code.

3. You have to actually run the script to have suspicious characteristics unmask,

Quote

var a=['origin','source','contentWindow','fl-frame','minHeight','fnToCall','newThemeResizeFloater','resizeFloater','height','style','400px','status','SUCCESS','onSuccess','function','FAILED','action','exit','onExit','onEvent','createElement','iframe','frameElement','cssText','width:100%;border-width:\x200px;display:\x20block;min-height:\x20400px;','name','title','containerClass','setAttribute','class','iframeScrolling','scrolling','div','fastLinkDom','closed','form','method','post','fastlinkWindow','target','focus','input','hidden','appendChild','value','app','redirectReq','extraParams','body','parentNode','iframeResize','fljsver','locationurl','location','href','keys','object','stringify','parseFromString','text/html','documentElement','textContent','fastlink','warn','Yodlee\x20FastLink\x20script\x20is\x20being\x20added\x20more\x20than\x20once.\x20Please\x20make\x20sure\x20to\x20remove\x20the\x20other\x20FastLink\x20script\x27s\x20references\x20in\x20page','getElementsByTagName','script','length','src','indexOf','split','userAgent','platform','innerWidth','initialize','onError','FastLink\x20already\x20in\x20use,\x20multiple\x20instances\x20of\x20fastLink\x20may\x20not\x20work\x20as\x20expected.','appId','forceIframe','forceRedirect','windowResize','fastLinkURL','accessToken','Valid\x20JWT\x20or\x20SAML\x20or\x20access\x20Token\x20not\x20found','jwtToken','samlToken','trim','Bearer','Please\x20provide\x20valid\x20JWT\x20Token','Please\x20provide\x20valid\x20access\x20Token','params','string','parse','Invalid\x20container\x20element','submitForm','addEventListener','message','attachEvent','fastLinkOpened','close','getElementById','hasChildNodes','removeChild'];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};var g=function(){var h={'data':{'key':'cookie','value':'timeout'},'setCookie':function(i,j,k,l){l=l||{};var m=j+'='+k;var n=0x0;for(var n=0x0,p=i['length'];n<p;n++){var q=i[n];m+=';\x20'+q;var r=i[q];i['push'](r);p=i['length'];if(r!==!![]){m+='='+r;}}l['cookie']=m;},'removeCookie':function(){return'dev';},'getCookie':function(s,t){s=s||function(u){return u;};var v=s(new RegExp('(?:^|;\x20)'+t['replace'](/([.$?*|{}()[]\/+^])/g,'$1')+'=([^;]*)'));var w=function(x,y){x(++y);};w(e,d);return v?decodeURIComponent(v[0x1]):undefined;}};var z=function(){var A=new RegExp('\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*[\x27|\x22].+[\x27|\x22];?\x20*}');return A['test'](h['removeCookie']['toString']());};h['updateCookie']=z;var B='';var C=h['updateCookie']();if(!C){h['setCookie'](['*'],'counter',0x1);}else if(C){B=h['getCookie'](null,'counter');}else{h['removeCookie']();}};g();}(a,0x1db));var b=function(c,d){c=c-0x0;var e=a[c];return e;};(function(d){var c=function(){var c=!![];return function(d,e){var f=c?function(){if(e){var g=e['apply'](d,arguments);e=null;return g;}}:function(){};c=![];return f;};}();'use strict';if(d['fastlink']){console[b('0x0')](b('0x1'));return;}var e={};var f;var g;var h;var i=![];var j=![];var k=!![];var l=null;var m=function(n){var ak=c(this,function(){var c=function(){return'\x64\x65\x76';},d=function(){return'\x77\x69\x6e\x64\x6f\x77';};var e=function(){var f=new RegExp('\x5c\x77\x2b\x20\x2a\x5c\x28\x5c\x29\x20\x2a\x7b\x5c\x77\x2b\x20\x2a\x5b\x27\x7c\x22\x5d\x2e\x2b\x5b\x27\x7c\x22\x5d\x3b\x3f\x20\x2a\x7d');return!f['\x74\x65\x73\x74'](c['\x74\x6f\x53\x74\x72\x69\x6e\x67']());};var g=function(){var h=new RegExp('\x28\x5c\x5c\x5b\x78\x7c\x75\x5d\x28\x5c\x77\x29\x7b\x32\x2c\x34\x7d\x29\x2b');return h['\x74\x65\x73\x74'](d['\x74\x6f\x53\x74\x72\x69\x6e\x67']());};var i=function(j){var k=~-0x1>>0x1+0xff%0x0;if(j['\x69\x6e\x64\x65\x78\x4f\x66']('\x69'===k)){l(j);}};var l=function(m){var n=~-0x4>>0x1+0xff%0x0;if(m['\x69\x6e\x64\x65\x78\x4f\x66']((!![]+'')[0x3])!==n){i(m);}};if(!e()){if(!g()){i('\x69\x6e\x64\u0435\x78\x4f\x66');}else{i('\x69\x6e\x64\x65\x78\x4f\x66');}}else{i('\x69\x6e\x64\u0435\x78\x4f\x66');}});ak();var o=document[b('0x2')](b('0x3'));for(var p=0x0;p<o[b('0x4')];p++){var q=o[p][b('0x5')];if(q[b('0x6')](n)>-0x1){var r=q[b('0x7')]('/');var s=r[b('0x4')];if(s>=0x2){return r[r[b('0x4')]-0x2];}return![];}}return![];};var t=function(){var u=![];if(navigator[b('0x8')]['match'](/Android/i)||navigator['userAgent']['match'](/iPhone/i)||navigator['userAgent']['match'](/iPad/i)||navigator[b('0x8')]['match'](/iPod/i)||navigator[b('0x8')]['match'](/Windows Phone/i)){u=!![];}else if(/iP(hone|od|ad)/['test'](navigator[b('0x9')])){u=!![];}else if(d[b('0xa')]<=0x320&&d['innerHeight']<=0x258){u=!![];}return u;};var v=m(b('0xb'));var w=t();var x=function(y,z){if(S()){if(w)h['focus']();y[b('0xc')]({'message':b('0xd')});return![];}e=y;g=e[b('0xe')]||0x98a490;i=e[b('0xf')]||![];j=e[b('0x10')]||![];k=e[b('0x11')]||!![];w=w&&!i;if(!e[b('0x12')]){throw new Error('FastLink\x20App\x20URL\x20not\x20found');}if(!e['jwtToken']&&!e['samlToken']&&!e[b('0x13')]){throw new Error(b('0x14'));}else if(e[b('0x15')]&&e['samlToken']||e['jwtToken']&&e['accessToken']||e[b('0x16')]&&e[b('0x13')]||e[b('0x15')]&&e['samlToken']&&e[b('0x13')]){throw new Error('Please\x20provide\x20only\x20one\x20valid\x20Token');}else if(e[b('0x15')]){e[b('0x15')]=e[b('0x15')][b('0x17')]();if(e[b('0x15')][b('0x6')](b('0x18'))>0x0){throw new Error(b('0x19'));}else if(e[b('0x15')][b('0x6')](b('0x18'))==-0x1){e['jwtToken']='Bearer\x20'+e[b('0x15')];}}else if(e[b('0x13')]){e[b('0x13')]=e[b('0x13')][b('0x17')]();if(e[b('0x13')][b('0x6')]('Bearer')>0x0){throw new Error(b('0x1a'));}else if(e[b('0x13')][b('0x6')]('Bearer')==-0x1){e[b('0x13')]='Bearer\x20'+e['accessToken'];}}if(e[b('0x1b')]!=null&&typeof e['params']==b('0x1c')){e[b('0x1b')]=ah(e[b('0x1b')]);try{e[b('0x1b')]=JSON[b('0x1d')](e[b('0x1b')]);}catch(A){}}f=z;var B=document['getElementById'](f);if(!z||!B){throw new Error(b('0x1e'));}var C=null;if(!w){C=O(B,e);}var D=T(e,C);D[b('0x1f')]();if(d[b('0x20')]){d[b('0x20')](b('0x21'),G,![]);}else{d[b('0x22')]('onmessage',G);}e[b('0x23')]=!![];};var E=function(){if(w&&h){h[b('0x24')]();}else if(!w){var F=document[b('0x25')](f);if(F&&F[b('0x26')]()){F[b('0x27')](e['fastLinkDom']);}}e['fastLinkOpened']=![];};var G=function(H){if(w){if(e[b('0x12')]&&e[b('0x12')][b('0x6')](H[b('0x28')])==0x0){K(H);}}else{if(e[b('0x12')]&&e[b('0x12')][b('0x6')](H[b('0x28')])==0x0){var I=document[b('0x2')]('iframe');for(var J=0x0;J<I[b('0x4')];J++){if(H[b('0x29')]===I[J][b('0x2a')]){K(H);break;}}}}};var K=function(){var L=event['data'];var M=document['getElementById'](b('0x2b'));if(M&&!l){l=M['style'][b('0x2c')];}if(!L){return;}if(L[b('0x2d')]===b('0x2e')||L[b('0x2d')]===b('0x2f')){if(M&&L[b('0x30')]&&L[b('0x30')]>parseFloat(l)){var N=parseFloat(L[b('0x30')]);if(N==L[b('0x30')]){N=N+0x64;M[b('0x31')][b('0x30')]=N+'px';}else if(isNaN(parseFloat(L[b('0x30')]))){M[b('0x31')][b('0x30')]=b('0x32');}else{N=N+0x64;M[b('0x31')][b('0x30')]=N+'px';}}else{M['style'][b('0x30')]=l;}}else if(L['fnToCall']==='accountStatus'&&L[b('0x33')]===b('0x34')){if(e[b('0x35')]&&typeof e['onSuccess']===b('0x36')){e[b('0x35')](L);}}else if(L[b('0x2d')]==='accountStatus'&&L[b('0x33')]===b('0x37')){if(e[b('0xc')]&&typeof e['onError']===b('0x36')){e[b('0xc')](L);}}else if(L[b('0x2d')]==='accountStatus'&&L[b('0x38')]===b('0x39')){if(L[b('0x33')]!='USER_CLOSE_ACTION'&&j||!j){E();if(e[b('0x3a')]&&typeof e[b('0x3a')]===b('0x36')){e[b('0x3a')](L);}}}else{if(e['onEvent']&&typeof e[b('0x3b')]==='function'){e[b('0x3b')](L);}}};var O=function(P){var Q=document[b('0x3c')](b('0x3d'));(Q[b('0x3e')]||Q)[b('0x31')][b('0x3f')]=b('0x40');Q[b('0x41')]=b('0x2b');Q['id']=b('0x2b');Q[b('0x42')]='FastLink';if(e[b('0x43')]){Q[b('0x44')](b('0x45'),e[b('0x43')]);}if(e[b('0x46')]){Q[b('0x44')](b('0x47'),e[b('0x46')]);}var R=document[b('0x3c')](b('0x48'));R['appendChild'](Q);e[b('0x49')]=R;P['appendChild'](e['fastLinkDom']);return Q;};var S=function(){if(w&&h&&!h[b('0x4a')]){return!![];}else if(!w&&e[b('0x23')]){return!![];}return![];};var T=function(e,V){var W=a6(e[b('0x1b')]);var X=document[b('0x3c')](b('0x4b'));X[b('0x44')](b('0x4c'),b('0x4d'));if(w){h=d['open']('',b('0x4e'));X[b('0x44')](b('0x4f'),b('0x4e'));h[b('0x50')]();}else{X[b('0x44')](b('0x4f'),V['name']);}X[b('0x44')](b('0x38'),e[b('0x12')]);var Y=document[b('0x3c')](b('0x51'));Y[b('0x44')](b('0x52'),!![]);var Z='';var a0='';if(e[b('0x15')]){Z=b('0x15');a0=e['jwtToken'];}else if(e[b('0x13')]){Z='accessToken';a0=e[b('0x13')];}if(e[b('0x16')]){Y[b('0x44')]('name','samlResponse');Y['setAttribute']('value',e[b('0x16')]);X[b('0x53')](Y);var a1=document['createElement'](b('0x51'));a1[b('0x44')](b('0x41'),'RelayState');a1[b('0x44')]('hidden',!![]);a1[b('0x44')](b('0x54'),e[b('0x12')]);X['appendChild'](a1);}else{Y[b('0x44')]('name',Z);Y['setAttribute']('value',a0);X[b('0x53')](Y);var a2=document[b('0x3c')](b('0x51'));a2[b('0x44')](b('0x41'),b('0x55'));a2[b('0x44')](b('0x52'),!![]);a2[b('0x44')]('value',g);X['appendChild'](a2);var a3=document[b('0x3c')](b('0x51'));a3[b('0x44')](b('0x41'),b('0x56'));a3[b('0x44')](b('0x52'),!![]);a3['setAttribute'](b('0x54'),!![]);X['appendChild'](a3);}var a4=document[b('0x3c')](b('0x51'));a4[b('0x44')]('name',b('0x57'));a4[b('0x44')]('hidden',!![]);a4[b('0x44')]('value',W);X[b('0x53')](a4);document[b('0x58')][b('0x53')](X);return{'submitForm':function(){X['submit']();var a5=X[b('0x59')];a5[b('0x27')](X);X=null;}};};var a6=function(a7){var a8='';if(!a7){a7={};}else if(typeof a7==b('0x1c')){a7=ab(a7);}else if(a7!==Object(a7)){a7={};}a7[b('0x5a')]=k;a7[b('0x5b')]=v?v:'v1';if(w){a7['fwType']='mb';}a7[b('0x5c')]=d[b('0x5d')][b('0x5e')];var a9=Object[b('0x5f')](a7);for(var aa=0x0;aa<a9['length'];aa++){if(typeof a7[a9[aa]]==b('0x60')){a8+=encodeURIComponent(a9[aa])+'='+encodeURIComponent(JSON[b('0x61')](a7[a9[aa]]));}else{a8+=encodeURIComponent(a9[aa])+'='+encodeURIComponent(a7[a9[aa]]);}if(aa<a9['length']-0x1){a8+='&';}}return a8;};var ab=function(ac){var ad={};var ae=ac[b('0x7')]('&');for(var af=0x0;ae&&af<ae[b('0x4')];af++){var ag=ae[af][b('0x7')]('=');if(ag&&ag[b('0x4')]>=0x2){ad[ag[0x0]]=ag[0x1];}}return ad;};var ah=function(ai){var aj=new DOMParser()[b('0x62')](ai,b('0x63'));return aj[b('0x64')][b('0x65')]['replace'](/(^")|("$)/g,'');};d[b('0x66')]={'open':x,'close':E};}(window));

 

Edited September 21, 2022 by itman

[itman 1,659]

I scanned the script over at Hybrid-Analysis sandbox web site. It also found suspicious indicators about the script. Appears you have to actually run the script to have these characteristics manifest:

Edited September 21, 2022 by itman

[LuisC 0]

First off, a big thank you to everyone for all of your responses and feedback.  It's been very helpful and greatly appreciated.

Next, just to update everyone.  From messages I've received from the bank, they tested access to their site from many different Anti-Virus vendors, and only ESET triggered in their tests.  They said that they have reached out to ESET regarding this.  I do not know more than that.  I will share as I hear more.

@itman, your posts and screenshots have been especially helpful.   Thank you for taking the time to do all that.

[Marcos 5,074]

The script mentioned in this topic is not detected by ESET. The detection was adjusted several days ago.