Hot Take Malicious website escaping secure dns

[Kongo]

I cant download the file either. I get a russian notification that says "server error" or something like that.

 

[Parkinsond]

The update button leads to download a malware that's based on Node.js (the most popular JavaScript runtime environment).
ESET didn't block the malware download source site like Kaspersky, but the main malicious file was detected after extraction.
View attachment 293470

VirusTotal

VirusTotal

www.virustotal.com

I did not have the guts to try clicking on "update"; just checked if any security vendor or layer could flag the website as malicious, especially I looked like malicious.

 

[Parkinsond]

How did you manage to download the infected file? I thought the server that's hosting the malicious files was taken down.

That is true; I typed the web address of the link which is supposed to be lead to after clicking update (from @harlan4096 screenshot); it did not lead anything.

 

[Kongo]

I see what the reason was. NextDNS actually blocks the source of the malicious download via Ai and Threat Intelligence Feeds.

 

[Parkinsond]

Detected by Hawk Eye, just tried.

Nothing more satisfying for a solution engineer than seeing the solution work where many others fail.

View attachment 293471

Great job, @Trident , as usual

 

[Parkinsond]

I see what the reason was. NextDNS actually blocks the source of the malicious download via Ai and Threat Intelligence Feeds.

I did not find the chance to re-check after changing the DOH from AG to NextDNS, especially after finding out all major AV vendors did not flag.

 

[Divine_Barakah]

Just a quick update

I reopened the malicious link and I managed to download the file. It's a compressed file (installer.57-12-4-71.zip

Anyone willing to test it? Please let me know.

@Trident

 

[Divine_Barakah]

I uploaded the zip file to VT and it showed no detection

VirusTotal

VirusTotal

www.virustotal.com

 

[Trident]

I uploaded the zip file to VT and it showed no detection

VirusTotal

VirusTotal

www.virustotal.com

I am seeing many of these fake updaters lately, there were heuristics built in to the early versions of Orion Malware Cleaner, later on renamed that detected this activity.

The detection was Orion:AppImpersonator

 

[Divine_Barakah]

I am seeing many of these fake updaters lately, there were heuristics built in to the early versions of Orion Malware Cleaner, later on renamed that detected this activity.

I did not open the zip file and I did not even scan it with BD.

 

[Divergent]

My tools did not have an issue identifying this either. Who would of guessed AI to be so handy.

 

[Divine_Barakah]

I confirm that BD does not detect the file.

 

[Parkinsond]

I confirm that BD does not detect the file.

When checked earlier on VT, there was no single detection.

 

[LiberumVETO]

Avast wykrywa zagrożenie

 

[Divine_Barakah]

When checked earlier on VT, there was no single detection.

I just ran a manual scan.
And yes it is not detected by any vendor on VT.

 

[Parkinsond]

Avast wykrywa zagrożenie

Earlier was not detected by Avast on VT (signature); most probably behavioral detection.

 

[Trident]

Earlier was not detected by Avast on VT.

Yeah, but Avast when installed has more cards up their sleeve compared to the VT Avast. Furthermore, it is able to track the context.

 

[Divine_Barakah]

It seems BD submission form is broken. I uploaded the .zip file and when I clicked submit, nothing happened.

 

[Trident]

It seems BD submission form is broken. I uploaded the .zip file and when I clicked submit, nothing happened.

The plot thickens more and more…

 

[LiberumVETO]

on VT based on signatures. Other mechanisms intercept the threat