Author Topic: Just one engine to detect this emotet malware laden blogsite...  (Read 295 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Just one engine to detect this emotet malware laden blogsite...
« on: September 17, 2020, 02:03:50 PM »
Re: https://urlhaus.abuse.ch/url/544840/
For the moment only detected by Spamhaus: https://www.virustotal.com/gui/url/1f6aa13c5a5cc9f3a4c3aa234a4c967f40a0f2324c877f9fc41abb987f2279f9/detection

Wrong Word Press setting, User Enumeration
The first two user ID's were tested to determine if user enumeration is possible.

Username   Name
ID: 1   admin   Manzoor The Trainer
ID: 2   not found   
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

2 vulnerable jQuery libraries detected: https://retire.insecurity.today/#!/scan/dd781fbdb5bb4a5b479b47d8522a9721b65c8e942ac302d49116b25758ebf210

F-grade here: https://observatory.mozilla.org/analyze/blog.manzoorthetrainer.com

Sucuri detecs the malware: https://sitecheck.sucuri.net/results/blog.manzoorthetrainer.com
Site has been hacked to send spam...read:
https://success.trendmicro.com/solution/1118391-malware-awareness-emotet-resurgence

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Just one engine to detect this emotet malware laden blogsite...
« Reply #1 on: September 17, 2020, 04:49:15 PM »
Just a website infested in a similar way with emotet: https://urlhaus.abuse.ch/url/545677/

Already been blacklisted here: https://sitecheck.sucuri.net/results/qutiche.cn/wp-admin/Pages/HqElwOtyTD2GJ2G/
as categorized by: Forcepoint ThreatSeeker   under compromised websites
sophos asmalware repository, spyware and malware

10 engines to flag: https://www.virustotal.com/gui/url/ee8600033831a287ea58aa4d1e6c5e3943584321a89c619ce4413ed3c285c434/detection

WP issues: WordPress Version 5.4.2 ; Version does not appear to be lates

Strange results: DShield    CLEAN
AlienVault OTX      CLEAN
Cisco Talos    CLEAN
abuse.ch (Feodo)    CLEAN
URLhaus    CLEAN
Spamhaus (Drop / eDrop)    CLEAN

Externally Linked Host   Hosting / Company Netblock   Country   
     -cn.wordpress.org   SINGLEHOP-LLC   

Alibaba abuse: https://www.shodan.io/host/39.106.129.233

On IP source: hxtp://39.106.129.233/  = blocked by HTTPS Everywhere...no interesting sites there according to VT:
https://www.virustotal.com/gui/ip-address/39.106.129.233/relations

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Just one engine to detect this emotet malware laden blogsite...
« Reply #2 on: September 17, 2020, 05:03:02 PM »
In this URL scan the malware was completely missed:
Quote
1. URL: htxp://qutiche.cn/wp-admin/Pages/HqElwOtyTD2GJ2G/
  Server response code and content type: 200, application/msword
  Elapsed time: 2531.52ms
  Dr.Web not recommended websites database: Clean
  Size: 205075
  MD5: fab7cf5e8315d0198b8f3ca906d4d713
  Scan time: 47.48ms
  Scan result: clean
  Full Dr.Web scan report: *

2020-09-17 17:58:01
  (Source is the free Dr Web online check - check URL in the browser)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!