Threat: JS/Spy.Banker.LQ trojan from https://learningexpress.com/

[Richard Orabona 0]

Hello,

New to ESET. Our sales team was trying to log onto their customer's portal https://learningexpress.com/, and received the JS Spybanker error. 

I reviewed a few other similar threads and was able to search in the code for ParentNode and found the below. How can I know what script is causing this and if it's actually bad or not?

 

(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-NNC89FK');

!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;
n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,
document,'script','//connect.facebook.net/en_US/fbevents.js');
// Insert Your Custom Audience Pixel ID below. 
fbq('init', '1698256930387984');
fbq('track', 'PageView');
 

[Marcos 4,694]

Searching for "r=> r.blob()" should help you locate the malicious JS.