Opera Helper.app 67.0.3575.79 C2/Generic-A

Just got too many alerts from many devices :

What happened: Malicious connection detected: 'C2/Generic-A' at '/Applications/Opera (1).app/Contents/Frameworks/Opera Framework.framework/Versions/67.0.3575.79/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper' (Technical Support reference: 1071727604)

Path: /Applications/Opera (1).app/Contents/Frameworks/Opera Framework.framework/Versions/67.0.3575.79/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper

What was detected: C2/Generic-A

How severe it is: High

 

Can you please describe the situation? What should i do?

  • Got SDU results from a couple of machines:

    2ac71c07-b8ea-4404-5933-380aeefda8d7_2020-03-24-16-16-31.zip

    8bcabae0-074c-7418-b8b9-bf94efee20d0_2020-03-24-16-15-48.zip

    fd6c58e0-b8dd-142d-7ad5-34602c704091_2020-03-24-16-16-03.zip

    Alerts keep coming please help!

  • Hi  

    The alert which you have received states that the C2 traffic has been blocked by your Firewall from the endpoints. You should be able to check the number of machines which are creating this traffic. Check the logs on the firewall about where these endpoints are trying to connect and you can block the IP from there.

    After that, you need to do the Malware remediation on each and every machine to remove the exact component which is causing the issue.

    From the path, I am assuming that you are using MAC machines. 

  • In reply to Jasmin:

    This seems to be a false-positive recognition of traffic created by the Opera Helper on macOS-Systems.

    I started to get this notifications this afternoon on several machines.

  • In reply to Iakovos:

    Hi  

    If it looks like a false-positive, I'd request you to create a case here.

    I have also seen one case for the same issue with support. The support team will confirm whether it is a false-positive or not.

  • In reply to Iakovos:

    Looks like related Opera 67.0.3575.79 update, but I can't be 100% sure that is false positive.

  • In reply to Jasmin:

    Hi Jasmin,

    thank you for the quick reply. Just used your link to create a case.

    kind regards,

    Iakovos

  • In reply to Iakovos:

    Hello,

    I just checked the status of this and the specific Detection with Technical Support reference: 1071727604 should no longer occur. If you are still receiving the detections, please let us know.

  • In reply to DianneY:

    Hi DianneY,

    thank you for your help. I can confirm that the traffic of the Opera Helper is not recognised as malicious anymore. Tested this on different machines.

     

    kind regards,

    Iakovos

  • In reply to Iakovos:

    Hi  

    Thank you for the confirmation.

  • In reply to Jasmin:

    Hi Jasmin - Just want to clarify. Is this now being confirmed as a false-positive?

    Thanks

  • In reply to YasminZ:

    Hi  

    Yes, our labs team has removed the detection as it was C2 False-positive alert.