SeriousHoax 87 Posted July 26 Share Posted July 26 This is being happening for a long time. Any malicious/phishing websites I submit either via email or via the product itself or via the dedicated phishing submission page are ignored 9/10 times which is rather frustrating. Here's a VT link of a malicious source which should be blacklisted: https://www.virustotal.com/gui/url/c91f1cad547f7897d997b0dc1c5b8a423324b871e14293f79bf7dc5012e4b4bb/detection AnthonyQ 1 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted July 26 Administrators Share Posted July 26 1, Unlike detection of files, blacklisting URLs is much more trickier if there's no evidence of malware being served from a specific url and it's often a subjective decision if to block or not to block a specific url. Blindly blacklisting everything that users report would result in many false positives. For instance, in the above example hxxps://s2-3gd3ffal97d3d825-1323685272.tcloudbaseapp.com/s1/index.htm doesn't look malicious but it's content looks suspicious: The actual reason for blocking is that the file it points to (/第陆批次表格.exe) which transtates to "The sixth batch of forms.exe" which indeed sounds like malware. 2, The last email submission to samples[at]eset.com from your forum email address was from March. 3, You can never know if a particular url is blacklisted or not. For instance, you might check a specific domain in VirusTotal but in fact we could block the url with a full or partial path to the malware, especially if the website is perfectly legitimate but was compromised. Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 26 Share Posted July 26 45 minutes ago, Marcos said: 2, The last email submission to samples[at]eset.com from your forum email address was from March. I have seen this type of reply in regards to previous submission postings by @SeriousHoax . It appears for some unknown reason his submissions are not being received by Eset or if received, not being acknowledged and reviewed. Believe its time Eset create a web based submission site similar to Kaspersky's Threat Intelligence Portal: https://opentip.kaspersky.com/ . AnthonyQ 1 Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 26 Author Share Posted July 26 3 hours ago, Marcos said: 1, Unlike detection of files, blacklisting URLs is much more trickier if there's no evidence of malware being served from a specific url and it's often a subjective decision if to block or not to block a specific url. Blindly blacklisting everything that users report would result in many false positives. For instance, in the above example hxxps://s2-3gd3ffal97d3d825-1323685272.tcloudbaseapp.com/s1/index.htm doesn't look malicious but it's content looks suspicious: The actual reason for blocking is that the file it points to (/第陆批次表格.exe) which transtates to "The sixth batch of forms.exe" which indeed sounds like malware. 2, The last email submission to samples[at]eset.com from your forum email address was from March. 3, You can never know if a particular url is blacklisted or not. For instance, you might check a specific domain in VirusTotal but in fact we could block the url with a full or partial path to the malware, especially if the website is perfectly legitimate but was compromised. Yeah, I sent this because it was redirecting to download a malicious exe file. If telemetry was collected on the link, then I would assume that some ESET's automated URL analysis probably would've been able to auto blacklist it. SmartScreen on MS Edge didn't block the link a couple of days ago but yesterday it was auto-blacklisted as soon as it was redirecting to the malicious exe file. I guess that it was done by their automated analysis since it has connection to Microsoft Defender telemetry which can detect the downloaded malware. I submitted this link via ESET's dedicated Phishing submission page (even though it doesn't necessarily fit the phishing category) since I had less luck submitting malicious sites via email. I usually don't use my forum email for submission since Gmail doesn't allow attachments and sharing links are also blacklisted by gmail sometimes. 2 hours ago, itman said: I have seen this type of reply in regards to previous submission postings by @SeriousHoax . It appears for some unknown reason his submissions are not being received by Eset or if received, not being acknowledged and reviewed. Believe its time Eset create a web based submission site similar to Kaspersky's Threat Intelligence Portal: https://opentip.kaspersky.com/ . Had some luck with malware submission lately but not so much for submitting malicious/phishing URLs. A web-based submission page must be made. Sending samples via email is very old-school and unreliable as I said email providers like gmail don't even let you attach password protected archives. Every decently popular AV vendor out there has an online submission portal. I don't understand how ESET is yet to have it after all these years. IvanL_5306 1 Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 26 Share Posted July 26 (edited) For what it is worth, Eset now classifies the domain as malicious; assumed by blacklist. On the other hand, the domain is no longer reachable; Edited July 26 by itman Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 29 Author Share Posted July 29 On 7/27/2024 at 12:23 AM, itman said: For what it is worth, Eset now classifies the domain as malicious; assumed by blacklist. On the other hand, the domain is no longer reachable; Yeah, ESET has added to blacklist. The website is active again. Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 31 Author Share Posted July 31 @MarcosHi, here's a phishing site. Fake twitch follower selling website. Along with the VT detections, also blacklisted by Avast and Symantec. https://www.virustotal.com/gui/url/369b3079f5a285b123572fce5bafa771d649445e6a1e235301c1822595d284b1/detection Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 31 Share Posted July 31 (edited) 1 hour ago, SeriousHoax said: https://www.virustotal.com/gui/url/369b3079f5a285b123572fce5bafa771d649445e6a1e235301c1822595d284b1/detection Don't know what to make of this one. When I scan the domain at URLVoid: https://www.urlvoid.com/scan/phishtank.com/ , it shows a PhishTank detection. However when I search for the domain at the PhishTank web site: https://www.phishtank.com/ , it shows no matches. Perhaps it was a private submission? Edited July 31 by itman Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted July 31 Administrators Share Posted July 31 Copilot says: Yes, StreamBoo appears to be a scam. It is commonly offered by botted accounts on platforms like Twitch during streams, which is how they do most of their marketing1. Additionally, Scamadviser gives the website a very low trust score, indicating potential risk2. If you’re looking for a Twitch growth service, I recommend exploring alternative options. We've blocked it as scam as of now. Will see if there are any legal complaints about it. SeriousHoax 1 Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 31 Author Share Posted July 31 1 hour ago, itman said: Don't know what to make of this one. When I scan the domain at URLVoid: https://www.urlvoid.com/scan/phishtank.com/ , it shows a PhishTank detection. However when I search for the domain at the PhishTank web site: https://www.phishtank.com/ , it shows no matches. Perhaps it was a private submission? That's possible I guess. 27 minutes ago, Marcos said: Copilot says: Yes, StreamBoo appears to be a scam. It is commonly offered by botted accounts on platforms like Twitch during streams, which is how they do most of their marketing1. Additionally, Scamadviser gives the website a very low trust score, indicating potential risk2. If you’re looking for a Twitch growth service, I recommend exploring alternative options. We've blocked it as scam as of now. Will see if there are any legal complaints about it. Thanks for the quick resolution. Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted August 3 Author Share Posted August 3 @MarcosHere's a fake game website that is spreading stealer malware. Website: https://www.virustotal.com/gui/url/296e671f04229c2b929d08d8ee07b93ad2e9b3b602b62874d53a8c39a30173b5/detection So far, found two different samples from this site. Both are undetected. So, signatures should be added for these two also: https://www.virustotal.com/gui/file/46cdcfc3b2c08ab5e18c7479489989639ebf4b0f5d4fee5ba48f9ed5de6524a0/detection https://www.virustotal.com/gui/file/c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1/detection Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 3 Share Posted August 3 (edited) 2 hours ago, SeriousHoax said: https://www.virustotal.com/gui/file/46cdcfc3b2c08ab5e18c7479489989639ebf4b0f5d4fee5ba48f9ed5de6524a0/detection This version of the installer has 0 detections. 2 hours ago, SeriousHoax said: https://www.virustotal.com/gui/file/c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1/detection This version of the installer has malware detections (3). Note that Kaspersky no longer detects it. Not sure this is really malware. Edited August 3 by itman Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted August 3 Author Share Posted August 3 2 hours ago, itman said: This version of the installer has 0 detections. 4 hours ago, SeriousHoax said: I tested it myself today (not against ESET though), it is indeed malicious. It leaves remnant of what it steals in the temp folder. 2 hours ago, itman said: This version of the installer has malware detections (3). Note that Kaspersky no longer detects it. Not sure this is really malware. It's also malicious. It was tested by some other people against various products and was sent to Kaspersky yesterday when they created the signature, and it is still detected by them. All these are Electron based info stealer. There is a new variant almost every day and is hard to keep up with them. Signature based detections are definitely not going to cut it most of the time and even other well-known products with good behavior blockers are often struggling against these. Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 3 Share Posted August 3 I went to the web site: https://kyrazon.com and downloaded what was offered. The download is a .rar. Submitted it to VirusTotal and the result was zero detections:https://www.virustotal.com/gui/file/094941fcaa5f861229ed6076472ef4086752691b36f2ff640b97dce102d86245?nocache=1 Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted August 3 Author Share Posted August 3 8 minutes ago, itman said: I went to the web site: https://kyrazon.com and downloaded what was offered. The download is a .rar. Submitted it to VirusTotal and the result was zero detections:https://www.virustotal.com/gui/file/094941fcaa5f861229ed6076472ef4086752691b36f2ff640b97dce102d86245?nocache=1 The archive is password protected. The password is: "KS2024" Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 3 Share Posted August 3 Next, I submitted the .rar download to Hybrid-Analysis: https://www.hybrid-analysis.com/sample/094941fcaa5f861229ed6076472ef4086752691b36f2ff640b97dce102d86245 . 100% Clean. Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 3 Share Posted August 3 (edited) 4 minutes ago, SeriousHoax said: The archive is password protected. The password is: "KS2024" I am not going to attempt to run the .rar. However, I saw it decompressing, etc.. at VT to 85MB. It couldn't do that if it was password protected. Edited August 3 by itman Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted August 3 Author Share Posted August 3 12 minutes ago, itman said: I am not going to attempt to run the .rar. However, I saw it decompressing, etc.. at VT to 85MB. It couldn't do that if it was password protected. I have it on my PC right now. As I said I even tested it in my VMs. It is password protected. https://postimg.cc/2qF885v8 Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 3 Share Posted August 3 (edited) 1 hour ago, SeriousHoax said: I have it on my PC right now. As I said I even tested it in my VMs. It is password protected. https://postimg.cc/2qF885v8 OK .................... I extracted the .rar to get the .exe. It's the same file as scanned here: https://www.virustotal.com/gui/file/46cdcfc3b2c08ab5e18c7479489989639ebf4b0f5d4fee5ba48f9ed5de6524a0/detection which has zero detections. Hybrid-Analysis scan: https://www.hybrid-analysis.com/sample/46cdcfc3b2c08ab5e18c7479489989639ebf4b0f5d4fee5ba48f9ed5de6524a0 rated it suspicious. As such, a download from the web site is not serving up the malicious version. Don't know where the malicious version came from. Edited August 3 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 3 Share Posted August 3 (edited) BTW - there is a posting on analysis of this malware here: https://malwaretips.com/threads/another-evasive-discord-token-stealer-disguised-as-pc-game-🎮☠️.132268/#post-1095690 . The significant posting is: Quote But the most interesting things is, it seems to be pushing 2 different versions. Mine didn’t have reg.exe anywhere in the chain. I turned application control off to see the whole chain. @Shadowra and @Andrew3000 detections are the same (clipbanker/Nova) but mine is RiseProStealer. Mine attempted to connect to some suspicious URLs such as oshi(.)net (not observed on Andrew300’s test). Needless to say connection failed — untested/uncategorised URLs and domains are blocked under my policy. Mine has a file kyrazongodot.exe, which is not on Andrew300’s forensics report. Most likely depending on the region or other system information, it decides what to deploy. As such, the web site,https://kyrazon.com/ , needs to be blacklisted by Eset. Forget about trying to detect what the web site downloads since it would be an effort in futility. Edited August 3 by itman Quote Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted August 4 Author Share Posted August 4 11 hours ago, itman said: As such, a download from the web site is not serving up the malicious version. Don't know where the malicious version came from. A download from the website is serving the malicious version but it received an update a few days ago. On Malwaretips two links were shared to download the malware. One from Triage, one from the malicious site. They are different samples. The Triage one is probably an older variant. But anyway, both were able to steal data when I tested myself yesterday. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 4 Administrators Share Posted August 4 We'll check it out. It's likely that the installer won't install the application as VBS/Runner.NQE trojan is detected upon attempting to run an executable from a temp. folder. The detection has been there since 2021. SeriousHoax 1 Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 4 Share Posted August 4 (edited) 7 hours ago, SeriousHoax said: On Malwaretips two links were shared to download the malware. One from Triage, one from the malicious site. They are different samples. The Triage one is probably an older variant. Below is an explanation for what I believe is going on here: Quote The Discord-based infostealing campaign operators strategically compromised the accounts of French gaming influencers by exploiting their credibility to disseminate enticing messages. These messages promise exclusive access to a seemingly harmless and legitimate game. In addition, the threat actors distributed these messages through Discord channels and private messages, each containing a link. Consequently, once the recipients click the link, they unknowingly initiate the download of a malicious file or are redirected to a fraudulent website. In addition, the malicious operation utilized the fake websites and activated connections to ipinfo[.]io, which allowed the threat actors to extract the victims’ IP addresses. Users will unintentionally initiate info-stealing malware once they click the download button on the fake website. The attack conceals the malware within a password-protected rar archive, a zip file, or an executable file. Further investigations also showed the involvement of multiple info-stealer strains, such as BBy Stealer, Nova Sentinel, Doenerium, and Epsilon Stealer. There is ongoing analysis on BBy Stealer and Nova Sentinel, but researchers discovered that Doenerium and Epsilon Stealer are also openly accessible on GitHub and Telegram. Researchers noted that the Nova Sentinel malware could steal Discord information, crypto wallets, sensitive browser data, and even capture screenshots, while French-speaking users actively promote the latter on Telegram. https://izoologic.com/industry/gaming/discord-based-infostealing-campaign-attacks-gamers/ Bottom line here. Stay away from anything offering a free game download. To quote an old American truism, "There's no such thing as a free lunch." Ref.: https://en.wikipedia.org/wiki/No_such_thing_as_a_free_lunch Edited August 4 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 4 Share Posted August 4 (edited) 11 hours ago, Marcos said: We'll check it out. It's likely that the installer won't install the application as VBS/Runner.NQE trojan is detected upon attempting to run an executable from a temp. folder. The detection has been there since 2021. Quote But anyway, both were able to steal data when I tested myself yesterday. In reference to the game download sample no one at VT detects and CrowdStrike detects as suspicious, below is a screenshot from the CrowdStrike run time analysis of the downloaded .exe; Appears there are two installers being created. The actual malicious one is installer.exe: https://www.hybrid-analysis.com/sample/a361465a9b8ccd239c2499e0c044b9acb2cd787d2913750a245fe707737e90c7 , most likely the infostealer. Of significance is nsis7z.dll which CrowdStrike detects w/high confidence as malicious w/no one at VT detecting it: https://www.hybrid-analysis.com/sample/b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 . My guess is there is other code being deployed that conditions the execution of installer.exe. Also, installer.exe connects to an IP address in France. As such, the assumption that the infostealer is being deployed on a geographic basis might be correct. Edited August 4 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 4 Share Posted August 4 (edited) Another reason to stay away from unknown game web sites; Quote A massive Magniber ransomware campaign is underway, encrypting home users' devices worldwide and demanding thousand-dollar ransoms to receive a decryptor. Unlike the larger ransomware operations, Magniber has primarily targeted individual users who download malicious software and execute it on their home or small business systems. Ongoing Magniber campaign Since July 20, BleepingComputer has seen a surge in Magniber ransomware victims seeking help in our forums. Ransomware identification site ID-Ransomware has also seen a surge, with almost 720 submissions to the site since July 20, 2024. While it unclear how victims are being infected, BleepingComputer has been told by a few victims that their device was encrypted after running software cracks or key generators, which is a method the threat actors used in the past. As Magniber typically targets consumers, the ransom demands start at $1,000 and then increase to $5,000 if a Bitcoin payment is not made within three days. Unfortunately, there is no way to decrypt files encrypted by the current versions of Magniber for free. It is strongly advised to avoid software cracks and key generators as it's not only illegal but also a common method used to distribute malware and ransomware. https://www.bleepingcomputer.com/news/security/surge-in-magniber-ransomware-attacks-impact-home-users-worldwide/ Edited August 4 by itman SeriousHoax 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.