Malicious website submissions are ignored

[SeriousHoax 87]

This is being happening for a long time. Any malicious/phishing websites I submit either via email or via the product itself or via the dedicated phishing submission page are ignored 9/10 times which is rather frustrating.

Here's a VT link of a malicious source which should be blacklisted:

https://www.virustotal.com/gui/url/c91f1cad547f7897d997b0dc1c5b8a423324b871e14293f79bf7dc5012e4b4bb/detection

[Marcos 5,231]

1, Unlike detection of files, blacklisting URLs is much more trickier if there's no evidence of malware being served from a specific url and it's often a subjective decision if to block or not to block a specific url. Blindly blacklisting everything that users report would result in many false positives.

For instance, in the above example hxxps://s2-3gd3ffal97d3d825-1323685272.tcloudbaseapp.com/s1/index.htm doesn't look malicious but it's content looks suspicious:

The actual reason for blocking is that the file it points to (/第陆批次表格.exe) which transtates to "The sixth batch of forms.exe" which indeed sounds like malware.

2, The last email submission to samples[at]eset.com from your forum email address was from March.

3, You can never know if a particular url is blacklisted or not. For instance, you might check a specific domain in VirusTotal but in fact we could block the url with a full or partial path to the malware, especially if the website is perfectly legitimate but was compromised.

 

[itman 1,740]

45 minutes ago, Marcos said:

2, The last email submission to samples[at]eset.com from your forum email address was from March.

I have seen this type of reply in regards to previous submission postings by @SeriousHoax . It appears for some unknown reason his submissions are not being received by Eset or if received, not being acknowledged and reviewed.

Believe its time Eset create a web based submission site similar to Kaspersky's Threat Intelligence Portal: https://opentip.kaspersky.com/ .

[SeriousHoax 87]

3 hours ago, Marcos said:

1, Unlike detection of files, blacklisting URLs is much more trickier if there's no evidence of malware being served from a specific url and it's often a subjective decision if to block or not to block a specific url. Blindly blacklisting everything that users report would result in many false positives.

For instance, in the above example hxxps://s2-3gd3ffal97d3d825-1323685272.tcloudbaseapp.com/s1/index.htm doesn't look malicious but it's content looks suspicious:

The actual reason for blocking is that the file it points to (/第陆批次表格.exe) which transtates to "The sixth batch of forms.exe" which indeed sounds like malware.

2, The last email submission to samples[at]eset.com from your forum email address was from March.

3, You can never know if a particular url is blacklisted or not. For instance, you might check a specific domain in VirusTotal but in fact we could block the url with a full or partial path to the malware, especially if the website is perfectly legitimate but was compromised.

 

Yeah, I sent this because it was redirecting to download a malicious exe file. If telemetry was collected on the link, then I would assume that some ESET's automated URL analysis probably would've been able to auto blacklist it. SmartScreen on MS Edge didn't block the link a couple of days ago but yesterday it was auto-blacklisted as soon as it was redirecting to the malicious exe file. I guess that it was done by their automated analysis since it has connection to Microsoft Defender telemetry which can detect the downloaded malware. 

I submitted this link via ESET's dedicated Phishing submission page (even though it doesn't necessarily fit the phishing category) since I had less luck submitting malicious sites via email. I usually don't use my forum email for submission since Gmail doesn't allow attachments and sharing links are also blacklisted by gmail sometimes.

2 hours ago, itman said:

I have seen this type of reply in regards to previous submission postings by @SeriousHoax . It appears for some unknown reason his submissions are not being received by Eset or if received, not being acknowledged and reviewed.

Believe its time Eset create a web based submission site similar to Kaspersky's Threat Intelligence Portal: https://opentip.kaspersky.com/ .

Had some luck with malware submission lately but not so much for submitting malicious/phishing URLs. 

A web-based submission page must be made. Sending samples via email is very old-school and unreliable as I said email providers like gmail don't even let you attach password protected archives. Every decently popular AV vendor out there has an online submission portal. I don't understand how ESET is yet to have it after all these years.

[itman 1,740]

For what it is worth, Eset now classifies the domain as malicious; assumed by blacklist.

On the other hand, the domain is no longer reachable;

Edited July 26 by itman

[SeriousHoax 87]

On 7/27/2024 at 12:23 AM, itman said:

For what it is worth, Eset now classifies the domain as malicious; assumed by blacklist.

On the other hand, the domain is no longer reachable;

Yeah, ESET has added to blacklist. The website is active again.

[SeriousHoax 87]

@MarcosHi, here's a phishing site. Fake twitch follower selling website. Along with the VT detections, also blacklisted by Avast and Symantec.

https://www.virustotal.com/gui/url/369b3079f5a285b123572fce5bafa771d649445e6a1e235301c1822595d284b1/detection

[itman 1,740]

1 hour ago, SeriousHoax said:

https://www.virustotal.com/gui/url/369b3079f5a285b123572fce5bafa771d649445e6a1e235301c1822595d284b1/detection

Don't know what to make of this one.

When I scan the domain at URLVoid: https://www.urlvoid.com/scan/phishtank.com/ , it shows a PhishTank detection. However when I search for the domain at the PhishTank web site: https://www.phishtank.com/ , it shows no matches. Perhaps it was a private submission?

Edited July 31 by itman

[Marcos 5,231]

Copilot says: Yes, StreamBoo appears to be a scam. It is commonly offered by botted accounts on platforms like Twitch during streams, which is how they do most of their marketing1. Additionally, Scamadviser gives the website a very low trust score, indicating potential risk2. If you’re looking for a Twitch growth service, I recommend exploring alternative options. 

We've blocked it as scam as of now. Will see if there are any legal complaints about it.

[SeriousHoax 87]

1 hour ago, itman said:

Don't know what to make of this one.

When I scan the domain at URLVoid: https://www.urlvoid.com/scan/phishtank.com/ , it shows a PhishTank detection. However when I search for the domain at the PhishTank web site: https://www.phishtank.com/ , it shows no matches. Perhaps it was a private submission?

That's possible I guess.

 

27 minutes ago, Marcos said:

Copilot says: Yes, StreamBoo appears to be a scam. It is commonly offered by botted accounts on platforms like Twitch during streams, which is how they do most of their marketing1. Additionally, Scamadviser gives the website a very low trust score, indicating potential risk2. If you’re looking for a Twitch growth service, I recommend exploring alternative options. 

We've blocked it as scam as of now. Will see if there are any legal complaints about it.

Thanks for the quick resolution.

[SeriousHoax 87]

@MarcosHere's a fake game website that is spreading stealer malware.

Website: https://www.virustotal.com/gui/url/296e671f04229c2b929d08d8ee07b93ad2e9b3b602b62874d53a8c39a30173b5/detection

So far, found two different samples from this site. Both are undetected. So, signatures should be added for these two also:

https://www.virustotal.com/gui/file/46cdcfc3b2c08ab5e18c7479489989639ebf4b0f5d4fee5ba48f9ed5de6524a0/detection

https://www.virustotal.com/gui/file/c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1/detection

[itman 1,740]

2 hours ago, SeriousHoax said:

https://www.virustotal.com/gui/file/46cdcfc3b2c08ab5e18c7479489989639ebf4b0f5d4fee5ba48f9ed5de6524a0/detection

This version of the installer has 0 detections.

2 hours ago, SeriousHoax said:

https://www.virustotal.com/gui/file/c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1/detection

This version of the installer has malware detections (3). Note that Kaspersky no longer detects it.

Not sure this is really malware.

Edited August 3 by itman

[SeriousHoax 87]

2 hours ago, itman said:

This version of the installer has 0 detections.

4 hours ago, SeriousHoax said:

I tested it myself today (not against ESET though), it is indeed malicious. It leaves remnant of what it steals in the temp folder.

2 hours ago, itman said:

This version of the installer has malware detections (3). Note that Kaspersky no longer detects it.

Not sure this is really malware.

It's also malicious. It was tested by some other people against various products and was sent to Kaspersky yesterday when they created the signature, and it is still detected by them. 

All these are Electron based info stealer. There is a new variant almost every day and is hard to keep up with them. Signature based detections are definitely not going to cut it most of the time and even other well-known products with good behavior blockers are often struggling against these.

[itman 1,740]

I went to the web site: https://kyrazon.com and downloaded what was offered. The download is a .rar.

Submitted it to VirusTotal and the result was zero detections:https://www.virustotal.com/gui/file/094941fcaa5f861229ed6076472ef4086752691b36f2ff640b97dce102d86245?nocache=1

[SeriousHoax 87]

8 minutes ago, itman said:

I went to the web site: https://kyrazon.com and downloaded what was offered. The download is a .rar.

Submitted it to VirusTotal and the result was zero detections:https://www.virustotal.com/gui/file/094941fcaa5f861229ed6076472ef4086752691b36f2ff640b97dce102d86245?nocache=1

The archive is password protected. The password is: "KS2024"

[itman 1,740]

Next, I submitted the .rar download to Hybrid-Analysis: https://www.hybrid-analysis.com/sample/094941fcaa5f861229ed6076472ef4086752691b36f2ff640b97dce102d86245 . 100% Clean.

[itman 1,740]

4 minutes ago, SeriousHoax said:

The archive is password protected. The password is: "KS2024"

I am not going to attempt to run the .rar. However, I saw it decompressing, etc.. at VT to 85MB. It couldn't do that if it was password protected.

Edited August 3 by itman

[SeriousHoax 87]

12 minutes ago, itman said:

I am not going to attempt to run the .rar. However, I saw it decompressing, etc.. at VT to 85MB. It couldn't do that if it was password protected.

I have it on my PC right now. As I said I even tested it in my VMs. It is password protected.

https://postimg.cc/2qF885v8

[itman 1,740]

1 hour ago, SeriousHoax said:

I have it on my PC right now. As I said I even tested it in my VMs. It is password protected.

https://postimg.cc/2qF885v8

OK ....................

I extracted the .rar to get the .exe. It's the same file as scanned here: https://www.virustotal.com/gui/file/46cdcfc3b2c08ab5e18c7479489989639ebf4b0f5d4fee5ba48f9ed5de6524a0/detection which has zero detections.

Hybrid-Analysis scan: https://www.hybrid-analysis.com/sample/46cdcfc3b2c08ab5e18c7479489989639ebf4b0f5d4fee5ba48f9ed5de6524a0  rated it suspicious.

As such, a download from the web site is not serving up the malicious version. Don't know where the malicious version came from.

Edited August 3 by itman

[itman 1,740]

BTW - there is a posting on analysis of this malware here: https://malwaretips.com/threads/another-evasive-discord-token-stealer-disguised-as-pc-game-🎮☠️.132268/#post-1095690 .

The significant posting is:

Quote

But the most interesting things is, it seems to be pushing 2 different versions. Mine didn’t have reg.exe anywhere in the chain. I turned application control off to see the whole chain. @Shadowra and @Andrew3000 detections are the same (clipbanker/Nova) but mine is RiseProStealer. Mine attempted to connect to some suspicious URLs such as oshi(.)net (not observed on Andrew300’s test). Needless to say connection failed — untested/uncategorised URLs and domains are blocked under my policy.
Mine has a file kyrazongodot.exe, which is not on Andrew300’s forensics report.

Most likely depending on the region or other system information, it decides what to deploy.

As such, the web site,https://kyrazon.com/ , needs to be blacklisted by Eset. Forget about trying to detect what the web site downloads since it would be an effort in futility.

Edited August 3 by itman

[SeriousHoax 87]

11 hours ago, itman said:

As such, a download from the web site is not serving up the malicious version. Don't know where the malicious version came from.

A download from the website is serving the malicious version but it received an update a few days ago. On Malwaretips two links were shared to download the malware. One from Triage, one from the malicious site. They are different samples. The Triage one is probably an older variant.

But anyway, both were able to steal data when I tested myself yesterday.

[Marcos 5,231]

We'll check it out. It's likely that the installer won't install the application as VBS/Runner.NQE trojan is detected upon attempting to run an executable from a temp. folder. The detection has been there since 2021.

[itman 1,740]

7 hours ago, SeriousHoax said:

On Malwaretips two links were shared to download the malware. One from Triage, one from the malicious site. They are different samples. The Triage one is probably an older variant.

Below is an explanation for what I believe is going on here:

Quote

The Discord-based infostealing campaign operators strategically compromised the accounts of French gaming influencers by exploiting their credibility to disseminate enticing messages.

These messages promise exclusive access to a seemingly harmless and legitimate game. In addition, the threat actors distributed these messages through Discord channels and private messages, each containing a link. Consequently, once the recipients click the link, they unknowingly initiate the download of a malicious file or are redirected to a fraudulent website.

In addition, the malicious operation utilized the fake websites and activated connections to ipinfo[.]io, which allowed the threat actors to extract the victims’ IP addresses. Users will unintentionally initiate info-stealing malware once they click the download button on the fake website. The attack conceals the malware within a password-protected rar archive, a zip file, or an executable file.

Further investigations also showed the involvement of multiple info-stealer strains, such as BBy Stealer, Nova Sentinel, Doenerium, and Epsilon Stealer. There is ongoing analysis on BBy Stealer and Nova Sentinel, but researchers discovered that Doenerium and Epsilon Stealer are also openly accessible on GitHub and Telegram.

Researchers noted that the Nova Sentinel malware could steal Discord information, crypto wallets, sensitive browser data, and even capture screenshots, while French-speaking users actively promote the latter on Telegram.

https://izoologic.com/industry/gaming/discord-based-infostealing-campaign-attacks-gamers/

Bottom line here. Stay away from anything offering a free game download. To quote an old American truism, "There's no such thing as a free lunch." Ref.: https://en.wikipedia.org/wiki/No_such_thing_as_a_free_lunch

Edited August 4 by itman

[itman 1,740]

11 hours ago, Marcos said:

We'll check it out. It's likely that the installer won't install the application as VBS/Runner.NQE trojan is detected upon attempting to run an executable from a temp. folder. The detection has been there since 2021.

Quote

But anyway, both were able to steal data when I tested myself yesterday.

In reference to the game download sample no one at VT detects and CrowdStrike detects as suspicious, below is a screenshot from the CrowdStrike run time analysis of the downloaded .exe;

Appears there are two installers being created. The actual malicious one is installer.exe: https://www.hybrid-analysis.com/sample/a361465a9b8ccd239c2499e0c044b9acb2cd787d2913750a245fe707737e90c7 , most likely the infostealer. Of significance is nsis7z.dll which CrowdStrike detects w/high confidence as malicious w/no one at VT detecting it: https://www.hybrid-analysis.com/sample/b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 .

My guess is there is other code being deployed that conditions the execution of installer.exe. Also, installer.exe connects to an IP address in France. As such, the assumption that the infostealer is being deployed on a geographic basis might be correct.

Edited August 4 by itman

[itman 1,740]

Another reason to stay away from unknown game web sites;

Quote

A massive Magniber ransomware campaign is underway, encrypting home users' devices worldwide and demanding thousand-dollar ransoms to receive a decryptor.

Unlike the larger ransomware operations, Magniber has primarily targeted individual users who download malicious software and execute it on their home or small business systems.

Ongoing Magniber campaign

Since July 20, BleepingComputer has seen a surge in Magniber ransomware victims seeking help in our forums.

Ransomware identification site ID-Ransomware has also seen a surge, with almost 720 submissions to the site since July 20, 2024.

While it unclear how victims are being infected, BleepingComputer has been told by a few victims that their device was encrypted after running software cracks or key generators, which is a method the threat actors used in the past.

As Magniber typically targets consumers, the ransom demands start at $1,000 and then increase to $5,000 if a Bitcoin payment is not made within three days.

Unfortunately, there is no way to decrypt files encrypted by the current versions of Magniber for free.

It is strongly advised to avoid software cracks and key generators as it's not only illegal but also a common method used to distribute malware and ransomware.

https://www.bleepingcomputer.com/news/security/surge-in-magniber-ransomware-attacks-impact-home-users-worldwide/

Edited August 4 by itman