What is cs.ffbtas.com

sainate · 2024-03-05T14:19:08.145Z

We manage firewalls for a number of client sites and, in the past few months, we have seen a pretty sharp rise in traffic to the URL cs.ffbtas.com. The traffic gets blocked and when we dig into it online it looks like the site is pretty regularly flagged as a malware site and when we investigate it in a sandbox environment it looks like it’s just
a dead link but the parent url (ffbtas.com) is redirecting to other sites (currently https://tronkl8u.z13.web.core.windows.net/), which gets flagged by Virustotal as phishing.

Anyway, just wondering if anyone else is seeing this and may have some more info on what it is. More curiosity than anything at this point.

jpcouillard · 2024-03-05T14:58:45.676Z

From what I see, you’re not the only one. A quick google search showed that reddit thread (seems to be BitDefender, althought I’m not sure what you’re using) : Reddit - Dive into anything

Which ultimately contained that link about that exact URL : Automated Malware Analysis Report for http://cs.ffbtas.com - Generated by Joe Sandbox

Mostly it’s saying “Rogue Software type: Phishing and Social Engineering”. I’d steer clear from that URL and try to simply block it with a group of dedicated test users / machines. If the test people can perform their daily tasks without interference, I’d deploy a company wide block.

Happy hunting !

sainate · 2024-03-05T15:35:29.476Z

@jpcouillard Thanks for the response and that was kindof the rabbit hole that I was running down myself. We’re seeing it across a couple of layers (perimeter firewalls and endpoint protection) and it’s getting blocked organically by both but we’ve since blacklisted the domain on both just in case they find a way to wiggle past it. My concern though was that there was something legitimate about it that we end up breaking by blacklisting it. I can’t imagine what, considering the lack of any kind of information suggesting that it’s legitimate but I figured if anyone knew, they’d be hanging out here

somedude2 · 2024-03-05T19:04:48.052Z

it was a code server for embedded js in page ads, it seems maybe one of the targets is compromised a bit more than that now.
Most of the flagging people are seeing is because it has an expired ssl certificate, but there is something nastier somewhere hiding…(The base domain is just a redirector dns server)

All you are losing by blocking it is some annoying advertisments…block away…