Help Detecting the Threat: JS/Spy.Banker.KJ trojan

[dahms 0]

Hi,

We have been told by a customer that our site was not available for some devices when using ESET.
Apparently the site is infected with JS/Spy.Banker.KJ trojan.

Site address is : https://zespa.fr/

I have tried to make a copy of the whole site and run an scan on it using ESET scan feature but nothing is found except in the cache folder where all pages are cached (which makes sense then).

Other than that, no threat seems to be found but we still have the warning when accessing the site so the js must be hidden somewhere.
Can you guys help us locate the threat ?

Thanks a lot,

Best

[Marcos 5,090]

The detection is correct. The malware can be encrypted and hiding anywhere, e.g. in a database as it was here: https://forum.eset.com/topic/36848-jsspybankerkn

[dahms 0]

Thanks for your quick answer.

I have access to the database through DBeaver but I don't know what to look for.
Would you have any suggestions ?

Also how can I be sure the malignant js is not located in the server files ?

Thanks.

Best,

[Marcos 5,090]

It's probably this whole script that loads with the default html file:

[dahms 0]

I have tried to find the js by making search (looking for "blob") in all the DB tables but found nothing.

Since it seems to be injected in the Google Tag Manager script I have also tried to look up every GTM tags but nothing there as well.

Please find as an attached file how the GTM script is implemented on the site.

I have double checked and this is the right script directly from the implementation guide provided by Google.

What would you recommend ?

[Marcos 5,090]

I would recommend contacting a website cleaning and monitoring service, such as sucuri.net.

[itman 1,668]

Sucuri found magneto card stealing malware in multiple locations on the web site: https://sitecheck.sucuri.net/results/https/zespa.fr .

[dahms 0]

Thanks for your help guys.

I was already aware of Sucuri site check results as I have installed the plugin on the infected wordpress site.

I have looked into website cleaning and monitoring services such as sucuri.net but those are quite expensive and do not seem to work for one-time intervention. 

Any other lead I could follow in order to solve the issue myself ?
I have all the access required both for server and database files.

Thanks !

[itman 1,668]

31 minutes ago, dahms said:

Any other lead I could follow in order to solve the issue myself ?

Sucuri has an article on how clean a web site of magneto malware: https://sucuri.net/guides/how-to-clean-hacked-magento/

[dahms 0]

Hi guys,

Thanks for your help, I have found the issue.

If that can help someone here is how :

It was indeed located inside the database, in the wordpress "options" table. It was the value of one of the element from divi builder. I don't know how it was injected there but I have removed it. 

In order to locate it, I downloaded the whole database as SQL file and I used a code editor to bulk search some special terms in the whole database (like "atob" or "blob").

Have a good day !

Best.