URGENT Windows Defender reports Trojan:Win32/Skeeyah.B!rfn in heltec\esp32\tools\espota.exe

[liamkennedy]

Following the installation instructions here git clone https://github.com/Heltec-Aaron-Lee/WiFi_Kit_series.git heltec My windows defender reported a trojan present in C:\Users\username\OneDrive\Documents\Arduino\hardware\heltec\esp32\tools\espota.exe

What the heck?

I realize this may be a false positive. It was odd this notification came seconds after beginning the git clone command above. Oddly Windows Defender also pointed to espota.exe in other directories too (the generic esp32 hardware folder etc.

[kthordarson]

I got a similar issue. In my case Trojan:Win32/Skeeyah.B!rfn was also sitting in \AppData\Local\Temp\WCS9E13.tmp.

[ddrager]

See malware detection from VirusTotal. Further analysis from Hybrid Analysis.

Although this looks suspicious, the network addresses it looks to be reaching out to are 87.236.156.136 and 93.184.221.240 which map to 2 CDN providers. It appears the .exe is a compiled python2.7 binary which may just be downloading files to your system for update - the 'ota' name, or "over the air" extension would match up with that analysis. @Heltec-Aaron-Lee can you please provide the source for this file?

[xieliwei]

The source is available in the general ESP32 repository.

https://github.com/espressif/arduino-esp32/blob/master/tools/espota.py

This looks suspicious, since the OTA tool is for direct connection between the Arduino computer and the ESP32, it should not be accessing anything on the internet. Follow the main thread on the arduino-esp32 issue for updates as well:

https://github.com/espressif/arduino-esp32/issues/2163

[buccaneer-jak]

24th Dec, 2 Trojans reported by windows Defender