https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448428#M1383 <P>Same here. I have hits for at least the following sites,(likely more though), however the commonality seems to be the carousel plugin.<BR /><BR />As far as I can tell, this is not malicious traffic, rather a false positive match for C2 traffic.<BR /><BR />URLs:<BR />-&nbsp;www[.]toshibaaudio[.]com/wp-content/themes/porto/js/libs/owl.carousel.min.js?ver=2.3.4<BR /><SPAN>-&nbsp;www[.]thepartnership[.]org/wp-content/plugins/gyan-elements/assets/js/owl.carousel.min.js?ver=2.3.4</SPAN><BR />-&nbsp;uvc[.]org/wp-content/themes/startit/assets/js/modules/plugins/owl.carousel.min.js?ver=5.8.2<BR />-&nbsp;www[.]integralpartnersllc[.]com/wp-content/themes/integral-partners/js/owl_slider/owl.carousel.min.js?ver=1637146460</P> Thu, 18 Nov 2021 16:21:03 GMT MarshallC 2021-11-18T16:21:03Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448392#M1381 <P>Hi,</P><P>I am seeing a lot of traffic being identified as&nbsp;<SPAN>malware.azjf C2 traffic over the last couple of days since the last threat update. I have noticed a pattern that users are visiting Wordpress websites that use the owl carousel plugin and checking these sites on VT they come up clean so appears to be a false positive.</SPAN></P><P><SPAN>Is anyone else aware of this going on?</SPAN></P> Thu, 18 Nov 2021 13:13:17 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448392#M1381 MichaelWrigh 2021-11-18T13:13:17Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448417#M1382 <P>Hi,</P><P>I have came across one from 17 November 2021. Same here, it points to a WordPress site with a carousel plugin.</P><P>Here are the IOCs:</P><P>IP: 194.72.147.94 on port 443</P><P>urls:</P><UL><LI>brunepark[.]gfmat[.]org</LI><LI>brunepark[.]gfmat[.]org/wp-content/plugins/js_composer/assets/lib/owl-carousel2-dist/owl.carousel.min.js?ver=6.0.5</LI><LI>brunepark[.]gfmat[.]org/wp-content/themes/ed-school/assets/fonts/ed-icon.ttf?nj4a9z</LI></UL><P>&nbsp;</P> Thu, 18 Nov 2021 16:05:12 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448417#M1382 gkabacs 2021-11-18T16:05:12Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448428#M1383 <P>Same here. I have hits for at least the following sites,(likely more though), however the commonality seems to be the carousel plugin.<BR /><BR />As far as I can tell, this is not malicious traffic, rather a false positive match for C2 traffic.<BR /><BR />URLs:<BR />-&nbsp;www[.]toshibaaudio[.]com/wp-content/themes/porto/js/libs/owl.carousel.min.js?ver=2.3.4<BR /><SPAN>-&nbsp;www[.]thepartnership[.]org/wp-content/plugins/gyan-elements/assets/js/owl.carousel.min.js?ver=2.3.4</SPAN><BR />-&nbsp;uvc[.]org/wp-content/themes/startit/assets/js/modules/plugins/owl.carousel.min.js?ver=5.8.2<BR />-&nbsp;www[.]integralpartnersllc[.]com/wp-content/themes/integral-partners/js/owl_slider/owl.carousel.min.js?ver=1637146460</P> Thu, 18 Nov 2021 16:21:03 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448428#M1383 MarshallC 2021-11-18T16:21:03Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448591#M1384 <P>Palo Alto Networks confirmed that it was a False Positive. The signature "malware.azjf C2 traffic(446823108)" will be disabled in Anti-Virus version 3905.</P> Fri, 19 Nov 2021 01:32:58 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448591#M1384 ymiyashita 2021-11-19T01:32:58Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448609#M1385 <P>Hi ! can u let us know, where did you get this? the official quote pelase</P> Fri, 19 Nov 2021 07:57:42 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448609#M1385 CyberSOC.Support 2021-11-19T07:57:42Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448630#M1386 <P>I'm a Palo Alto Networks employee, so I can check the signature status. (I just updated my profile with a job title.)</P> Fri, 19 Nov 2021 09:26:10 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malware-azjf-c2-traffic/m-p/448630#M1386 ymiyashita 2021-11-19T09:26:10Z