Google Drive Malware

pkeenan

Hello,

Has anyone received this particular link?

https://drive.google.com/uc?id=1tQOt65EHLjivrepX629Xqd1Mw2y-fdk0&export=download

The email read:

I have made some edits. Please check.

https://drive.google.com/uc?id=1tQOt65EHLjivrepX629Xqd1Mw2y-fdk0&export=download

Password for archive: 7777

Upon downloading, I received this notice from BitDefender:

We identified a threat that needs to be manually deleted.

Threat name: JS:Trojan.Cryxos.3257

Path: /private/var/folders/1b/4ds6nfy545l1jl1mqtl71nzh0000gn/T/TemporaryItems/StuffItLocal20200504_190321_9C8E9BF3-6DD0-42F8-BAEF-F0B94EC75E3C/view_attach_w7i.js=>(INFECTED_JS)

I did a little research on www which turned up some discussions of this possibly being a false positive.

Find more posts tagged with

malware false positive

Accepted answers

All comments

Flexx

Hi there,

As checked the sample is a javascript trojan dropper. I guess you might be checking the sample on vt only which shows detection as JS:Trojan.Cryxos.3266 under all av vendors basically because that detection was created by Bitdefender and other vendors showing the same detection use bitdefender signature based detection.

The sample is malicious and detection holds true. On contrary even Eset detects the samples as malicious though it is not shown on virustotal because sometimes virustotal uses different engine which might be old or outdated when compared to original engine in vendors product.

Eset detects the sample as JS/TrojanDropper.Agent.NYU

Here is how javascript malware works

Users typically encounter these files in one of the following scenarios:

When browsing a legitimate website that has been compromised to host harmful files
When redirected by another threat to a malicious or fake website that hosts the harmful files
As a file attached to a spam or targeted email

When the file is launched, it will silently contact a remote server, then download and save additional harmful files onto the device. It can then run the downloaded files.

Some variants will also exploit vulnerabilities in the device to perform the file downloads.

I hope I was able to solve your issue. Further I have again submitted the sample hash to malware researchers to verify the sample again.

Regards

Flex

Flexx

If this helps, kindly click on agree, rest I will update as soon as I hear back from Malware research team.

Regards Flex

pkeenan

Thanks for the guidance Flex.

This email came to me as an owner on the Groups.io web site. It was a reply to an email blast that our group was moving from Yahoo to Groups.io. The user was a legitimate member. I have since reached out to that user as well as two other colleagues listed on the site. One was returned as a "email does not exist" reply and the other two are still pending.

Peter

Flexx

Well sometimes it does happens that scripts are injected into website which can make them malicious, but as of now website seems clean.

Attached are the image from Eset & now even Kaspersky detecting the same sample as malicious. It is good that you should let the sender know that the email that they have send contains malicious ******.

ESET DETECTION

KASPERSKY DETECTION

If this helps, kindly click on agree.

Regards

Flex

pkeenan

Flex,

I did let them know.

Hopefully they will confirm receipt of my warning and take action.

Thank you again.

Peter