Jump to content

Assistance with detecting JS/Spy.Banker.KY on website


Recommended Posts

Hi Team,

One of our clients purchases equipment from the following website: https://ilsau.com.au
The website frequently triggers the JS/Spy.Banker.KY trojan when browsing (usually adding an item to a shopping trolley will trigger it)

The specific file that ESET flags is https://ilsau.com.au/wp-content/themes/ils2020/assets/js/app.js?ver=2.1.0

We've contacted the company that owns the website however they're unable to track down the threat.

Would someone be able to provide some clues on where they should look?

Thank you,
Anthony

Edited by Marcos
Link to comment
Share on other sites

  • Administrators

Is the threat still being detected? I've added some goods to cart and proceeded to checkout but didn't get any alert.

Another user posted elsewhere that he found the source of infection in php files in the "classes" folder.

Link to comment
Share on other sites

Thanks for looking at it Marcos.

It is still triggering a detection.

This product seems to trigger without even adding it to the cart:

https://ilsau.com.au/product/tens-machine-protens/

image.png

Link to comment
Share on other sites

Main page ilsau[.]com.au has this in it:
 

<_script type='text/javascript' src='hxxps://ilsau[.]com.au/wp-content/themes/ils2020/assets/js/app.js?ver=2.1.0' id='il2020-app-js-js'></script>

Loaded app.js contains line with 'atob' function that loads another/unwanted JS from a remote server.

Thats all we can see from visitor's point of view. Until you (or a specialized company) cleans the server, the detection will always trigger.

Edited by Nevermind
typo
Link to comment
Share on other sites

8 hours ago, AnthonyIT said:

This product seems to trigger without even adding it to the cart:

https://ilsau.com.au/product/tens-machine-protens/

Just FYI, it doesn't trigger anything when I access it or even add it to the shopping cart.

Link to comment
Share on other sites

  • Administrators

Maybe the malicious JS is injected only when the user is from the "right" country, in this case from Australia.

Link to comment
Share on other sites

4 hours ago, Marcos said:

Maybe the malicious JS is injected only when the user is from the "right" country, in this case from Australia.

I couldn't get an Eset detection when accessing: https://ilsau.com.au/product/tens-machine-protens/ from the U.S. I got as far as the web page for entry of ID and credit card payment detail.

-EDIT- I also disabled uBlock Origin and still could not get an Eset detection. However, Firefox still has native protections built-in to it and I do have those set to "Strict" mode.

The question is if Eset will throw a detection for Edge, Chrome, etc.?

Edited by itman
Link to comment
Share on other sites

Thank you for all your responses.

I've passed on this information to the website owners in hope it will give them some more clues as to where to look.

Note that the product I linked before: https://ilsau.com.au/product/tens-machine-protens/ is no longer triggering an alert, however clicking around the site - going into products, hitting the back button etc. Eventually it will trigger.

It almost appears random in nature and the malicious JS is generated on the fly.

I'm running ESET Endpoint Security 10.0.2045.0, detection engine version 27404.
Chrome Version 114.0.5735.110.

Will report back here if I have any more info.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...