What's JS:Banker-AAV [Trj] detection in background.js

Viruses and worms
1

Installed an extension from (official) Chrome Web Store and avast detected (and blocked) a connection from the background.js file of that extension. In response, I immediately uninstalled the suspect extension.

Chrome Web Store: Blockless VPN with malicious background.js file.

I was ensured that this was not a FP, but what can you advise?

See attached images.

Thanks for your assistance.

2

You already had an answer it not being a FP: https://malwaretips.com/threads/chrome-extension-blockless-vpn-detected-blocked-by-avast.72565/

Good we have that link also here now.

polonus

3

I asked here to confirm, but it’s obvious you guys are of ZERO help. Pathetic for an “Official Support Forum”.

By the way, polonus I was unsure if links were allowed to be posted.

4

We are not a official support team.
We are volunteers with relevant knowledge.

Polonus did confirm it is not a false positive.

5
By the way, polonus I was unsure if links were allowed to be posted.
Use the code button and insert link, then it will be unclickable

Suspicious file(s) can be uploaded and tested here > upload and test file background.js

www.virustotal.com / www.metadefender.com / www.jotti.org / www.virscan.org

6

Malicious background.js is what you get when you install an insecure Google chrome browser extension (malicious behaviour).
See for an anlysis here: https://www.reasoncoresecurity.com/background.js-78be0bb8783fbc0b7da36650559237bc1b185e20.aspx

This is medium riskware. More background read on the subject of risky browser extension, read here: https://www.google.nl/search?q=risky+Chrome+extension&oq=risky+Chrome+extension&aqs=chrome..69i57&sourceid=chrome&ie=UTF-8

This is loaded from that script a.o.

-ads.okitspace.com/uploads/cover.js?id="

and a decent adblocker like uBlock Origin blocks this with a rule
://ads.$~ads.colombiaonline.com|~ads.harvard.edu|~ads.msstate.edu|~ads.nc|~ads.route.cc|~ads.sk|~ads.socialtheater.com|~ads.toplayaffiliates.com|~ads.xtribeapp.com|~badassembly.com|~caravansforsale.co.uk|~fusac.fr|~memo2.nl|~reempresa.org|~seriouswheels.com Filter resides in the list: EasyList

polonus (volunteer website security analyst and website error-hunter)

7

Hello.

This is an FP

https://www.virustotal.com/en/file/6e1ee3562fb19c12ee75b94e7911bbeb6dd7cce36bd5a9b9c9c05e96fc885399/analysis/1498000404/

Detection removed yesterday 14:42 CET.

File was moved to whitelisted.