Jump to content

s/spy.banker.iv false positive or true ?


Recommended Posts

1 hour ago, Marcos said:

And yes, the detection occurs under specific conditions.

Can you be more "specific" please???

Which specific conditions???? On my PC (with NOD32) , opening 

hxxps://www.domainedestrottieres.com/connexion?back=https%3A%2F%2Fwww.domainedestrottieres.com%2Fcommande%3Fstep%3D1

triggers a detection each and every time.

Edited by rotaru
Link to comment
Share on other sites

  • Administrators
6 minutes ago, rotaru said:

Can you be more "specific" please???

Which specific conditions???? On my PC (with NOD32)

 

On 4/5/2023 at 3:54 PM, itman said:

Mouse click on the shopping cart tab located in Visa/Mastercard area of the web page.

On the next web page displayed, mouse click on the "Commander" button

Link to comment
Share on other sites

Hello,

thank you everyone,
I have for the moment found and deleted the malicious code but only with a backup.
I couldn't find how it happened...
I will monitor the website and see if it comes back.

 

Franck

 

 

Link to comment
Share on other sites

5 hours ago, franck said:

I couldn't find how it happened...

I assume this is a magecart attack:

Quote

What Can Merchants Do to Prevent Magecart Attacks?

To reduce the risk of Magecart and other types of client-side attacks, take the following steps:

  • Identify third-party JavaScript – prepare an inventory of all third-party JavaScript code on your website.
  • Ask third-party vendors to audit their code – to ensure it is their original code and does not contain any malicious instructions or malware.
  • Switch from third-party to first-party services – whenever possible, prefer to run software on your own servers and not use third-party services. This can prove to be a challenge, as most storefronts today are heavily reliant on third-party vendors.
  • Implement HTTP Content-Security-Policy headers – provides an additional layer of protection from cross-site scripting (XSS), clickjacking, and other code injection attacks.

Today, there are dedicated solutions that handle client-side protection and help prevent Magecart attacks.

https://www.imperva.com/learn/application-security/magecart/ .

Here's details on one of the recent magecart attack methods: 

Quote

The recent attack aimed to steal sensitive information from visitors on checkout pages and forms. The attackers were able to inject a malicious inline JavaScript code into the targeted websites by exploiting a vulnerability. The skimmer used techniques such as impersonating a legitimate third-party vendor, like Google Tag Manager, and hiding the malicious code through Base64 encoding. 

https://www.akamai.com/blog/security/magecart-attack-disguised-as-google-tag-manager

Also, this technique which is a new one:

Quote

To evade detection, the threat actors are now injecting malicious scripts directly into the site's payment gateway modules used to process credit card payments on checkout.

As these extensions are usually only called after a user submits their credit card details and checks out at the store, it may be harder to detect by cybersecurity solutions.

https://www.bleepingcomputer.com/news/security/hackers-inject-credit-card-stealers-into-payment-processing-modules/

For a starter mitigation, you need to update your php software: https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html

BTW - the malware is still present on your web site which can be verified as shown here: https://forum.eset.com/topic/35944-sspybankeriv-false-positive-or-true/?do=findComment&comment=165005

Edited by itman
Link to comment
Share on other sites

Hello,

my client informs me that the malicious code is still present, my antivirus does not detect it and I no longer have the JS code that marcos had found.
is the site still infected?

thanks

Link to comment
Share on other sites

Marcos

could you give me a part of the js code ?

to allow me to detect it because I have no other solution ?

quttera says 0 malware ...

many thanks for your help

Edited by franck
Link to comment
Share on other sites

5 minutes ago, franck said:

 

quttera says 0 malware ...

 

Out of curiosity I tested it with Kaspersky Free and BitDefender Free: both of them would detect the link as "malicious"

Link to comment
Share on other sites

  • 1 month later...

ESET detected this Trojan on the website https://cosmeticosors.com, and after scanning the server filesystem with several tools, no trace of malware was detected.
We're almost sure it's a false positive, Can you consider that?

Link to comment
Share on other sites

  • Administrators
9 minutes ago, julen said:

ESET detected this Trojan on the website https://cosmeticosors.com, and after scanning the server filesystem with several tools, no trace of malware was detected.
 

The website is indeed infected:

image.png

image.png

Link to comment
Share on other sites

Don't understand what is happened:
I scanned the site with VirusTotal right now and the result is not the same:

image.png

Link to comment
Share on other sites

  • Administrators
10 minutes ago, julen said:

Don't understand what is happened:
I scanned the site with VirusTotal right now and the result is not the same:

You have checked if the website is blacklisted by particular security products. ESET did not blacklist the website just because malware was found there. What you should do is upload an infected file to VT.

Quote

Can tell me in which file(s) found the infection?

You may not find the malicious code easily since it's injected runtime when specific conditions are met. I'd recommend contacting a website cleaning service such as sucuri.net.

Link to comment
Share on other sites

Quote

You have scanned the website for the presence on blacklists. What you should do is upload an infected file to VT.

Site don't allow upload any file.

Quote

You may not find the malicious code easily since it's injected runtime when specific conditions are met. I'd recommend contacting a website cleaning service such as sucuri.net.

Well, seems as fi ESET was 
OK, understand. So, if code is injected at runtime (let say, when js bundle is generated), Which is the responsible for this injection, I supose should be a code that resides on the site, right?
I found'nt any information about this "injector" 
On the other hands,

file scanned 

  • Administrators
  1 hour ago, julen said:

ESET detected this Trojan on the website https://cosmeticosors.com, and after scanning the server filesystem with several tools, no trace of malware was detected.
 

The website is indeed infected:

image.png

image.png

 
that appear as infected, has 762,67 KB. In any case the site generate a bundle with this size, so where is from the scanned file?

 
Link to comment
Share on other sites

2 hours ago, julen said:

OK, understand. So, if code is injected at runtime (let say, when js bundle is generated), Which is the responsible for this injection, I supose should be a code that resides on the site, right?
I found'nt any information about this "injector" 

Your web site is being injected with magecart malware. It will only manifest when an order is placed;

Eset_Order.thumb.png.765589cf6f4f196258eb814438e492d4.png

 

at which time, Eset will detect the malware and block any further communication;

Eset_Magecart.thumb.png.69a8690dd7ab17f1e3fb5d04adfaf48e.png

Refer to this article for further details: https://www.bleepingcomputer.com/news/security/hackers-inject-credit-card-stealers-into-payment-processing-modules/

Additional magecart malware references posted previously in this thread;

https://www.imperva.com/learn/application-security/magecart/

https://www.akamai.com/blog/security/magecart-attack-disguised-as-google-tag-manager

Edited by itman
Link to comment
Share on other sites

Well, thanks a lot for the information.
Finally, found infected files and remove the malicious code.
I want to congratulate ESET. It's the only antivirus application on the client side (from all aour clustomers) that  detected the infection.
And, most important, I want to apologize if I have defended the "false positive" option too much, the tools we have used to scan the server have confused us
Once again, THANKS


 
Link to comment
Share on other sites

  • Administrators
26 minutes ago, julen said:

Finally, found infected files and remove the malicious code.

Could you please share information about what files contained the malicious code that could help other users with this infection on their website?

Link to comment
Share on other sites

Quote

Could you please share information about what files contained the malicious code that could help other users with this infection on their website?

Of course.

Platform is Prestashop 1.7
files infected was:

  • classes/Product.php
  • classes/Store.php
  • classes/Dispatcher.php
  • classes/Hook.oho
  • classes/Tools.php
  • classes/controller/ModuleFrontController.php
  • classes/controller/Controller.php
  • classes/controller/FrontController.php
  • classes/shop/Shop.php


Best way to clean infected files is to restore them from a backup.
If is not posible or not have a recent backup (!!!!!!), download Prestashop from offical site (same version) and overwrite infected files.
I hope this can help other users, as Marcos says

Link to comment
Share on other sites

29 minutes ago, julen said:

Platform is Prestashop 1.7

You might find this article informative: https://www.getastra.com/blog/911/prestashop-malware-infection/ .

29 minutes ago, julen said:

Best way to clean infected files is to restore them from a backup.

There are numerous vulnerabilities in Prestashop 1.7 noted in the above linked article that need to be addressed, lest you get infected again.

Edited by itman
Link to comment
Share on other sites

  • Administrators
33 minutes ago, julen said:

files infected was:

  • classes/Product.php
  • classes/Store.php
  • classes/Dispatcher.php
  • classes/Hook.oho
  • classes/Tools.php
  • classes/controller/ModuleFrontController.php
  • classes/controller/Controller.php
  • classes/controller/FrontController.php
  • classes/shop/Shop.php

Please compress them with the password "infected" and upload them here (only ESET staff can access attachments).

Link to comment
Share on other sites

itman, thanks for the link.
I will read it carefully, don't hesitate.
As I know, Prestashop forums and  Prestashop itself published (well, is the developer, so not the best tester or critic about their software), version 1.7.8.2 (and greater) prevent SQL injection and XSS attacks.
Nevertheless, no one is safe from Zero-day vulnerabilities, and hackers are faster than developers founding it.

Link to comment
Share on other sites

1 minute ago, Marcos said:

Please compress them with the password "infected" and upload them here (only ESET staff can access attachments).

Ooops, to late to found all of them (most are deleted), I saved a pair (I think those contans logic to infect, the deleted had a script to include in html to send to browsers as response). I will compress and send as you ask for.

infected.zip

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...