Google Drive Malware

Hello,

Has anyone received this particular link?

The email read:

I have made some edits. Please check.

https://drive.google.com/uc?id=1tQOt65EHLjivrepX629Xqd1Mw2y-fdk0&export=download

Password for archive: 7777

Upon downloading, I received this notice from BitDefender:

We identified a threat that needs to be manually deleted.

Threat name: JS:Trojan.Cryxos.3257

Path: /private/var/folders/1b/4ds6nfy545l1jl1mqtl71nzh0000gn/T/TemporaryItems/StuffItLocal20200504_190321_9C8E9BF3-6DD0-42F8-BAEF-F0B94EC75E3C/view_attach_w7i.js=>(INFECTED_JS)

I did a little research on www which turned up some discussions of this possibly being a false positive.

Answers

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod

    Hi there,

    As checked the sample is a javascript trojan dropper. I guess you might be checking the sample on vt only which shows detection as JS:Trojan.Cryxos.3266 under all av vendors basically because that detection was created by Bitdefender and other vendors showing the same detection use bitdefender signature based detection.

    The sample is malicious and detection holds true. On contrary even Eset detects the samples as malicious though it is not shown on virustotal because sometimes virustotal uses different engine which might be old or outdated when compared to original engine in vendors product.

    Eset detects the sample as JS/TrojanDropper.Agent.NYU

    Here is how javascript malware works

    Users typically encounter these files in one of the following scenarios:

    • When browsing a legitimate website that has been compromised to host harmful files
    • When redirected by another threat to a malicious or fake website that hosts the harmful files
    • As a file attached to a spam or targeted email

    When the file is launched, it will silently contact a remote server, then download and save additional harmful files onto the device. It can then run the downloaded files.

    Some variants will also exploit vulnerabilities in the device to perform the file downloads.

    I hope I was able to solve your issue. Further I have again submitted the sample hash to malware researchers to verify the sample again.

    Regards

    Flex

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod

    If this helps, kindly click on agree, rest I will update as soon as I hear back from Malware research team.

    Regards Flex

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Thanks for the guidance Flex.

    This email came to me as an owner on the Groups.io web site. It was a reply to an email blast that our group was moving from Yahoo to Groups.io. The user was a legitimate member. I have since reached out to that user as well as two other colleagues listed on the site. One was returned as a "email does not exist" reply and the other two are still pending.

    Peter

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod

    Well sometimes it does happens that scripts are injected into website which can make them malicious, but as of now website seems clean.

    Attached are the image from Eset & now even Kaspersky detecting the same sample as malicious. It is good that you should let the sender know that the email that they have send contains malicious ******.

    ESET DETECTION


    KASPERSKY DETECTION



    If this helps, kindly click on agree.

    Regards

    Flex

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Flex,

    I did let them know.

    Hopefully they will confirm receipt of my warning and take action.

    Thank you again.

    Peter