HTML/Small.A!tr
Analysis
HTML/Small.A!tr is a generic detection for a JS/HTML trojan.
Since this is a generic detection, malware that are detected as HTML/Small.A!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- Most of these samples for this detection involved an injected 1 liner of Javascript that intends to execute a function passed with a changing string parameter.
Some of these samples did not hold the actual code for the so called function, indicating that there could be associated scripts/components apart from the affected HTML hosts.
It is also possible that this is just the byproduct of a certain attack on affected servers. - Until recently most of the observerd affected html sites seems to belong to chinese websites.
- Below are some of the illustration of the affected html websites:
- Figure 1: Affected site.
- Figure 2: Affected site.
- Figure 3: Affected site.
- Figure 4: Affected site.
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: 34433E66A478AEE0F3770C39735912B5
Sha256: 6076c102c458a63e7cdb70b2cd575b086ad3684a5cc6d9da1c684678b45a95d9 - Md5: D553E134EC89D4886B20682DEC90FCD3
Sha256: 1ac38a5aa91d7157dd1455daefd226c7df5d776d061bfe1b7020a97cf32ff647 - Md5: 775279D53599787A2096FE2F2CFAF500
Sha256: f922d6a12f2b7f20629424bde43cdca6ce5c66e30e7c7b6f1d57f223dcb6d002 - Md5: 7BD286E9826584039CB52C562E8681D8
Sha256: 0540ba04754d62e9d050b964fc490f1f1ff9ed7e090292fdda662935ba7892ef - Md5: DCB46DD434709E546DF3ACFF2325A2EC
Sha256: 3f0af54fcf488c0c20f85e4625340d0a2c90a9ce23696e591b78bb9d6a6e2e50
- Md5: 34433E66A478AEE0F3770C39735912B5
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |