Malware detected in update

cmqsupport · August 29, 2024, 6:26pm

Hello.

Our Anti-virus / XDR has flagged an update to R Studio on his computer as a security threat.

VirusTotal also has some scans reporting a risk:

Avira (no cloud)

PHISH/KAB.Talu.rpasg

Cynet

Malicious (score: 99)

GData

PDF.Trojan.Agent.M4PVR1

Google

Detected

Ikarus

Trojan.PDF.Agent

WithSecure

Phishing.PHISH/KAB.Talu.rpasg

Has this been experienced by others ? Here is the information concerning the reported malicious file :

Hostname: LAPxxxxxxxxxx

Host Ip: 192.168.1.90

OS Version: Windows 10 Enterprise x64 22H2

CynetEPS Version: 4.20.1.13727

Configuration Version: 638598531000000000

Incident detected on (Host Timezone): 2024-08-22T14:15:52.997

Incident detected on (UTC): 2024-08-22T18:15:52.997

Alert Name: Detection Engine - Malicious Binary - Infected File - File Dumped on the Disk

EPS Prevention: true

EPS Prevention Success: Success

Extra Info

Related Process Occurrence Id: 00000000-0000-0000-0000-000000000000

Process Cert Trust Result: -2146762496

Related Parent Process Occurrence Id: 5B5EA04C-BFF4-DA01-C41B-0000584DE9A8

Parent Cert Trust Result: -2146762496

Grandparent Cert Trust Result: -2146762496

Desired EPS Prevention: Rename File, Block Access

Actual EPS Prevention: Rename File, Block Access

Detection Time UTC: 2024-08-22 18:15:52

Detection Time Local: 2024-08-22 14:15:52

Detection Engine: Cynet AV

Infected file: C:\Users\xxxxxxx\AppData\Local\Temp\RtmpIROR1J\downloaded_packages\Rcpp_1.0.13.zip

Malware Type: phishing

Malware ID: PHISH/KAB.Talu.rpasg

Description: 0

ave version: 8.3.70.38

avpack version: 8.6.2.38

vdf version: 8.20.32.132

vdf date: 22.8.2024

Remediation Status: File C:\Users\xxxxxxx\AppData\Local\Temp\RtmpIROR1J\downloaded_packages\Rcpp_1.0.13.zip Renamed to .cynet extension

Infected file SHA256: FB3A389182A64F33BA484EB9ED0FB59EF0EC6619C5D7157EAEAFD5BA870C0A67

Parent Process Details

Process SHA256: 86D171F50C0E5C83CF327FD9507F3215793E3A9A41A1A61834957442D98D74EA

Process PID: 7108

Process Running User: cmq\jmorneau

Process Running User SID: S-1-5-21-1616904548-1971603713-444732941-3875

Process Path: c:\program files\rstudio\resources\app\bin\rsession-utf8.exe

Process Params: "C:/Program Files/RStudio/resources/app/bin/rsession-utf8.exe" --config-file none --program-mode desktop --www-port 16403 --launcher-token e63ca7e6

Process is signed: Not signed

Process CreationTime: 2024-08-22 14:15:42.236

Grandparent Process Details

Process SHA256: 22475A54D42403F45E22C604DD944CEF8278555A7DF70151078E331BF11CFD00

Process PID: 8804

Process Running User: cmq\xxxxxxxxxx

Process Running User SID: S-1-5-21-1616904548-1971603713-444732941-3875

Process Path: c:\program files\rstudio\rstudio.exe

Process Params: "C:\Program Files\RStudio\rstudio.exe"

Process is signed: Not signed

Process CreationTime: 2024-08-22 14:14:34.235

Incident received on: 2024-08-22T18:15:53.1+00:00

Incident received on (UTC): 2024-08-22T18:15:53.1Z

Thanks

Gabor · August 29, 2024, 8:38pm

Hello, that file is not part of RStudio.

It is the file of a binary R package, that can be obtained from many package mirrors. E.g. https://cran.r-project.org/bin/windows/contrib/4.4/Rcpp_1.0.13.zip.

Maybe your user knows where they got it from. E.g. which R version and which package mirror are they using?

As far as I can tell the SHA256 of the infected file does not match with the files available on the central CRAN mirror at https://cran.r-project.org

cmqsupport · September 5, 2024, 3:05pm

Thanks Gabor for the help.

I have advised my user.

Eric Garneau

ammraleigh · October 28, 2024, 9:15pm

Hello. I've gotten this same file quarantined as a virus after download.

It was downloaded through RStudio from cran.rstudio.com

trying URL 'https://cran.rstudio.com/bin/windows/contrib/4.4/Rcpp_1.0.13.zip'
Content type 'application/zip' length 2893382 bytes (2.8 MB)
downloaded 2.8 MB

Antivirus has quarantined it so can't get the SHA256 value.

Thank you for any help/assistance you can provide!

Gabor · October 29, 2024, 8:50am

FWIW that file has a different SHA256 than the one reported originally:

❯ curl -LO https://cran.rstudio.com/bin/windows/contrib/4.4/Rcpp_1.0.13.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 2825k  100 2825k    0     0   9.8M      0 --:--:-- --:--:-- --:--:--  9.8M

❯ shasum -a 256 Rcpp_1.0.13.zip
a6d4df732a01c2fed6ae074cb630571e15e1e770a909b8a265bd6f908b1b0bdb  Rcpp_1.0.13.zip

But that's not very surprising because CRAN rebuilds Windows binary packages frequently. E.g. this one was built on 2024-10-22:

      Rcpp_1.0.13.zip                                2024-10-22 14:53  2.8M

(Cf. https://cran.rstudio.com/bin/windows/contrib/4.4/)

VirusTotal reports that the file is clean, according to 96 virus scanner tools:

ammraleigh · October 29, 2024, 1:03pm

Hi!
Thank you so much for checking on this.
Ann

system · November 5, 2024, 1:03pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.