Web skimming malware not detected by Avast

Viruses and worms
1

Here are a couple of web skimming malware sample that’s not detected by Avast at the moment. I don’t have the sample, so I can only give VT link:

https://www.virustotal.com/gui/file/b397e7ad2d00dcef4cf4ba5df363684b1fefcc64c23ab110032a7b2ebb77ab4a
https://www.virustotal.com/gui/file/88e9d5eddd24546ab78ce8db1eb474a20b9694f52d4c7ad976fbfa683b7ce635

Full details about how it works can be found in this Microsoft blog post:
https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming/

2

Thanks for reporting, abuse at normally whitelisted places may go under the radar or could be missed.

See where this abuse may stem from - https://www.abuseipdb.com/check/17.253.144.10
and also mentioned is this IP: https://www.abuseipdb.com/check/72.21.91.29

So abuse taking place at Apple Inc. and Verizon Business - whitelisted as such -
these same entities sometimes also provide cloud servers and mail services,
which are easily abused.

Pay special attention when trusting or distrusting these IPs.

polonus

3

Good find. But sadly no detection from Avast yet. They probably didn’t check out this thread :-\

4

Hi, you can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php

5

As I wrote in my post, I can’t, I don’t have the files. I sent Bitdefender only VT link for one of these samples, and they added detection. Malware analysts have access to premium VT accounts, which gives them the ability to download malware from VT. The same should apply to Avast’s malware analysts also, I assume. That’s why I shared the VT links here.

6

If you don’t have a sample at hand, report the VT-Link(s), should work.

7

You mean I should submit the VT link as malicious website here? Check the screenshot.

8

Yep.

9

Some associated 3rd party marketing solution may have endured a data breach of sorts over time,
which data may have been abused, resulting in such kind of malware.

An unrelated example: https://maltiverse.com/hostname/cs9.wac.phicdn.net

As some can be further classified as FP’s, one should wait for a genuine verdicht from avast team,
as they decide what their detection database will consist of.

Cloudbases may complicate matters here. Ad-tracking- & script-blocking may protect the end-user.

polonus