Compromised websites

[ghost]

Prerequisites

• [X] This is NOT a YouTube, Facebook, Twitch or a shortener/hosting site report. These sites MUST be reported by clicking their respective links.
• [X] I read and understand the policy about what is a valid filter issue.
• [X] I verified that this issue is not a duplicate. (Search here to find out.)
• [X] I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
• [X] I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
• [X] I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
• [X] I am not using uBlock Origin along with other content blockers.
• [X] I have verified that the web browser's built-in content blocker/tracking protection, network wide/DNS blocking, or my VPN is not causing the issue.
• [X] I have verified that other extensions are not causing the issue.
• [X] If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site issue.
• [ ] I did not answer truthfully to ALL the above checkboxes.

URL(s) where the issue occurs.

margopassadorestylist.com
agisakis.gr
agyria.gr
alzo.gr
anasathalassas.gr
diathermiki.gr
alpha1047.gr

Description

These websites are compromised by PIKABOT and other types of malware

Other extensions used

none

Screenshot(s)

Screenshot(s)

Configuration

Details

```yaml ```

[JobcenterTycoon]

What do you mean with compromised? Are there any malware payloads? Malicious subdomains?

I saw https://www.gdatasoftware.com/blog/how-malware-gets-a-free-pass (margopassadorestylist.com) but its 4 years old and obsolete. The payload is down. https://urlhaus.abuse.ch/url/2728239/ (agisakis.gr) also down and obsolete.

[ghost]

Payloads yes. Most are Pikabot, while others are Darkgate, AgentTesla etc. Okay if some websites' payloads are down there is no need to add them. Here are some more (but recent) domains I found:

pronethellas.com eurotravel.com.gr anastasiadisbros.gr static062038222098.dsl.hol.gr transference.gr inled.gr mavrosdrive.gr andronikidis.gr karaoulas.gr alexboatsrental.com iamnotice.com

[JobcenterTycoon]

Why you don’t add active payloads to https://urlhaus.abuse.ch/ ? Please check if there is a thread active and don’t just collect random domains from the internet or other databases. We can’t check hundrets of payloads, URLhaus can. This is why uBO added the URLhaus filterlist because 0 false positives, auto removal of obsolete entrys and automation.

Also please post a way to reproduce like: "You can find the malware by opening X and clicking on the button Y" or "Here is the malicious URL: https://example.com/spamredirect.html" or "There is a spam campaign active, see this post on social media X with examples" (maybe it can be covered up with a regex)

[ghost]

Some of these are from URLHaus, while others are from other threat intelligence services like HaGeZi TIF.

I will try to report them more efficiently from now on. Sorry for bothering you each time.

I have a small question, though. Does uBlock Origin include all websites from the URLHaus database? I am aware there is a filter in uBO associated with URLHaus, but I think it only includes a small portion of the database. And is it enabled by default?

[JobcenterTycoon]

uBlock Origin has the lite version enabled by default (lite = only active payloads). This is how it works:

1. A user adding a payload to URLhaus.
2. The payload getting checked (to prevent false positives and violation against their Submission Policy) and after this the URL being added to the official list. The list can be viewed on https://urlhaus.abuse.ch/browse/
3. Payloads with the "Online" status will be included to the filterlist. Old entrys with the "Offline" status will be removed.
4. The filterlist will be updated like other filterlists.