Hello,
Here's a Stealer javascript injected into a website to steal users information. It is embedded in a HTML file.
The script is loaded on this website: "nocturnamodels(.)com/en/
But it won't be injected just by visiting this page.
To reproduce the detection, visit the website, add an item to the cart and then click on proceed to checkout. When it is clicked, a script is injected into the webpage which is malicious. The script is in the HTML named "pedido". Avast at the moment does not detect it.
I'm attacking a screenshot. The last line in the file shown here is the obfuscated malicious code.
Here's a Virustotal link of the HTML. It's already detected by many other AV products. I also tested in a VM and Bitdefender, ESET, Kaspersky are able to successfully block it.
https://www.virustotal.com/gui/file/94ae09df47afcb74072e5f302401d5f7b31c15685a779904fea4ac7a460efa44/detectionThe script may vary slightly each time, so the hash may not always be the same. So a hash based detection will not be recommended, I think.
The script is obfuscated. Create a heuristic detection for it if possible to detect similar scripts in the future.
It has to be detected on the browser. It only works on browser level. Any personal information like credit card info put on the page will get stolen by the attacker. An Avast analyst need to reproduce the issue on their end like I explained above and take proper measure to block it.
You can find more details about this here on the ESET forum:
https://forum.eset.com/topic/36242-jsspybankeriv-trojan/Note:
If any Avast employee or mods have a quicker access to the analysts, then please send this to them quickly to protect potential victims using Avast. I already submitted this twice to Avast. Once I sent the javascript I extracted from the html file and sent them and also sent a de-obfuscated version of the script with it. Avast added file based detection for them. Another time I sent the HTML file which has the script embedded in it and got a reply that a detection has been added, but in reality there is no detection. So maybe they misunderstood what I explained.
So I'm sharing here in details so that it's easier to understand, since Avast still does not detect it.