JS/Agent.QSM!tr
Analysis
JS/Agent.QSM!tr is a generic detection for a very small piece of JavaScript code that was found embedded in some XML files. The entire code basically says "Download File" from a certain location and then executes it.
The malware uses rundll32 to initiate a process for the HTML application, similar to the code below employed in the Poweliks malware:
- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";
- hxxp://atelier-kref{Removed}.de/mllgkkei24?\
- hxxp://autoghinzan{Removed}.it/mllgkkei16?\
- hxxp://autobody.cciwes{Removed}.net/mllgkkei21?\
- hxxp://autoecole-jeanloui{Removed}.com/mllgkkei11?\
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2021-09-28 | 89.04190 |