Author Topic: 54 instances of TROJ_CRYPCTB.NSA detected here?  (Read 2153 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
54 instances of TROJ_CRYPCTB.NSA detected here?
« on: March 28, 2017, 03:15:43 PM »
See: http://urlquery.net/report.php?id=1490704902278
 
Threat Name: Infostealer.Limitail
Location: -https://hacmint.com/cgi_bin/Invoice-Report.zip

Magento not updated, listed here: https://sitecheck.sucuri.net/results/hacmint.com
Update to: recommend version 1.9.2.4 or 2.0.7
Several issues not being patched: https://www.magereport.com/scan/?s=https://hacmint.com/
Two issues: https://sritest.io/#report/e54ed076-1d76-48a3-b3ca-0ee2f85b9d43

Vulnerable jQuery library to be retired: http://retire.insecurity.today/#!/scan/2d58d47ef3c2fef15d649f91f4725338f6e2177635f49f32d4aaf5409297e5ee

F-F-status: https://observatory.mozilla.org/analyze.html?host=hacmint.com

-/skin/frontend/default/theme224k/js/scripts.js
Severity:   Potentially Suspicious
Reason:   Detected procedure that is commonly used in suspicious activity.
Details:   Too low entropy detected in string [['.input-box select, .input-box input, input.qty, .data-table textarea, .input-box textarea, .advanced']] of length 126 which may point to obfuscation or shellcode.

Consider: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fhacmint.com%2Fskin%2Ffrontend%2Fdefault%2Ftheme224k%2Fjs%2Fscripts.js
overflowing code to  -http://dev.techsoup.nl/sites/all/modules/jquery_update/compat.js for instance...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: 54 instances of TROJ_CRYPCTB.NSA detected here?
« Reply #2 on: May 28, 2017, 12:08:34 AM »
Threat Name: Infostealer.Limitail
Location: htxps://hacmint.com/cgi_bin/Invoice-Report.zip
-> Domain Name   Certificate Name   EV   Security Certificate's Authentic Fingerprint   
hacmint dot com   hacmint dot com   —   B5:7D:FB:E6:B9:8A:99:7A:05:6B:EB:A4:E6:CA:E7:C6:64:98:A9:88

Seems persistent, see here: http://urlquery.net/report.php?id=1495919871071
See: -https://urlscan.io/result/a0ae7023-48ed-4fee-83de-ba192cd86cde/dom/
See: https://www.virustotal.com/pl/url/1e69fb6b1ec56febc32edca93dfac5bbf08c303e5b65d43cd3efda58ee94413f/analysis/1495921958/

Web application version:
Magento version detected: 1.9.0.1
Magento not updated. We recommend version 1.9.2.4 or 2.0.7 -> https://www.magereport.com/scan/?s=https://hacmint.com/

96 blacklisted links: https://quttera.com/detailed_report/www.hacmint.com

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: May 28, 2017, 12:54:13 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5564
  • Spartan Warrior
Re: 54 instances of TROJ_CRYPCTB.NSA detected here?
« Reply #3 on: May 29, 2017, 05:19:12 AM »
Windows 10 Home 64-bit 22H2 Avast Premier Security version 24.1.6099 (build 24.1.88821.762)  UI version 1.0.797
 UI version 1.0.788.  Windows 11 Home 23H2 - Windows 11 Pro 23H2 Avast Premier Security version 24.2.6105 (build 24.1.8918.827) UI version 1.0.801