Jump to content

*.trafficmanager.com - false positive


Recommended Posts

I have some clients that reported some subdomains of trafficmanager.com being blocked, I am not able to reproduce the issue because I don't have malwarebytes premium. 

This is one for example, the site https://affiliates.realdoll.com/ got blocked because the DNS is a CNAME of realldoll-com.trafficmanager.com

 

Quote

Detection Data
Detection Name:
Malicious Website
Action Taken:
Blocked
Category:
Website
Scanned At:
04/22/2021 8:10:16 AM
Reported At:
04/22/2021 8:10:17 AM
Process Name:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Type:
Outbound Connection
Endpoint:
ACIDT-01.Abyss.local
Domain:
realldoll-com.trafficmanager.com
Group Name:
Default Group
IP Address:
51.81.131.17
Port:
443


TrafficManager.com is a SaaS service for advertising networks, it may have happened in the past that some of our clients delivered ads with malware site using our subdomains, now we don't let them use subdomains of trafficmanager.com anymore, so there is no way trafficmanager.com can contain malicious content. 

 

Thank you

 

Link to post
Share on other sites
  • Staff

Hello FrancescoTim,

Thanks for bringing this to our attention. Can you review and remove the following paths as well please?

http://trafficmanager.com/storage/8958491964_file_1593030040.ps1
http://trafficmanager.com/storage/8958491964_file_1593030418.html
  1. https://www.virustotal.com/gui/url/0de536031a1a5642787ccce464cdbd1d6f7aec515f4e226a050c71d39e544267/detection
  2. https://www.virustotal.com/gui/url/9e33bc93c7ad6ba8038c13d746464564dd98e923cfd1eaa3a8d6614416e76816/detection

Thank you

Link to post
Share on other sites
9 minutes ago, thisisu said:

About this one: https://affiliates.realdoll.com. I  am not seeing a block here or any history of it being blocked.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/23/21
Protection Event Time: 7:43 PM
Log File: 05ec85e2-a496-11eb-a21f-001a7dda7102.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1273
Update Package Version: 1.0.39749
License: Premium

-System Information-
OS: Windows 10 (Build 19042.928)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Phishing
Domain: realldoll-com.trafficmanager.com
IP Address: 51.81.131.17
Port: 443
Type: Outbound
File: C:\Program Files\Mozilla Firefox\firefox.exe

 

(end)

Link to post
Share on other sites
15 minutes ago, thisisu said:

http://trafficmanager.com/storage/8958491964_file_1593030040.ps1
http://trafficmanager.com/storage/8958491964_file_1593030418.html

 

 

Looks like something from the Iranian hacker group known as Helix Kitten (aka; APT34)

Link to post
Share on other sites
  • Staff
4 minutes ago, Porthos said:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/23/21
Protection Event Time: 7:43 PM
Log File: 05ec85e2-a496-11eb-a21f-001a7dda7102.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1273
Update Package Version: 1.0.39749
License: Premium

-System Information-
OS: Windows 10 (Build 19042.928)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Phishing
Domain: realldoll-com.trafficmanager.com
IP Address: 51.81.131.17
Port: 443
Type: Outbound
File: C:\Program Files\Mozilla Firefox\firefox.exe

 

(end)

Thank you. I can remove the subdomain block on trafficmanager for now which should help until the other links are removed. Effect will take place in the next database update. @FrancescoTm

  • Thanks 1
Link to post
Share on other sites
7 hours ago, thisisu said:

Hello FrancescoTim,

Thanks for bringing this to our attention. Can you review and remove the following paths as well please?


http://trafficmanager.com/storage/8958491964_file_1593030040.ps1
http://trafficmanager.com/storage/8958491964_file_1593030418.html
  1. https://www.virustotal.com/gui/url/0de536031a1a5642787ccce464cdbd1d6f7aec515f4e226a050c71d39e544267/detection
  2. https://www.virustotal.com/gui/url/9e33bc93c7ad6ba8038c13d746464564dd98e923cfd1eaa3a8d6614416e76816/detection

Thank you

 

Thank you very much for letting me know. 

Those are files uploaded through our ticketing system, any html file in that directory already gives 403, I don't know why they were flagged, probably some old cache:

image.thumb.png.b7741a3916366603066bbb0fd8bcb282.png

 

However I have now permanently deleted them.

 

Thank you

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.