-
Notifications
You must be signed in to change notification settings - Fork 131
/
MasterRegexes.txt
119 lines (110 loc) · 10.8 KB
/
MasterRegexes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
## Regular expressions master list created from public sources.
############################# WARNING!!!! ####################################
## Do not edit this file, use CustomRegexes.txt for your own regexes instead
## or else your changes will be lost.
##############################################################################
## To report false positives, or contribute: https://github.com/malwareinfosec/EKFiddle
## Last updated: 2024-03-22
## Social engineering (malware)
SourceCode SocGholish (injected site) src=\w{2}\('\w{11}\:\w\/\w\/ https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/
SourceCode SocGholish (injected site obfu) %2F&format=xml"\s\/>\n{2}<script>\(function\(\)\{\(?function
SourceCode SocGholish (injected site new format) (window,document,'script','|async\ssrc=")http(s|):\/\/(?!www)[^.]([a-z0-9]+\.){2}[a-z]{2,10}\/[\w\/\+]{43}=
SourceCode SocGholish (injected site hex) \["\\x73\\x63\\x72\\x69\\x70\\x74","\\x68 *AND* \\x61\\x73\\x79\\x6E\\x63
SourceCode TDS injection \w{8}\.src\s= *AND* \.org\/\w{8}";
URI SocGholish ^http(s|):\/\/(?!www)[^.]([a-z]+\.(?!google)){2}[a-z]{2,10}\/(?![a-z]{5}\/)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*(=|\+))(?!.*(\-|_|\.|%|\?|@|[a-z]{6}|[0-9]{6}|aHR0cHM|api|app)).{40,140}=
URI GootLoader (payload) \/forum\.php\?[a-z]{3,15}=[a-z]{3,15}&[a-z]{3,20}=(?=.*[0-9])\w{50,200}&
URI sczriptzzbn (Campaign) friscomusicgroup.com|xim.avistapp.co
SourceCode Gootloader (hacked site) document\[\w{3,15}\[3\]\]=document\[\w{3,15}\[6\]\]\(\w{3,15}\[13\]\); https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/
SourceCode sczriptzzbn sczriptzzbn.src\s=\s'https|page\-chrome\-title">You\sare\susing\san\solder\sversion\sof\sBrowser https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html
SourceCode Parrot TDS (NDSW) \(nds(w|j)===undefined\) https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html
SourceCode Parrot TDS (NDSW) new \((typeof )?nds[wj]==="?undefined"?\)
SourceCode Parrot TDS (NDSW) redirect var\sndsx\s=\strue.*script
SourceCode Parrot TDS (NDSW) cookie var\sndsx\s=\strue.*cookie
SourceCode FakeSG/RogueRaticate (compromised site) f=1135333 *AND* vhe;>heha https://www.malwarebytes.com/blog/threat-intelligence/2023/07/socgholish-copycat-delivers-netsupport-rat
SourceCode FakeSG/RogueRaticate (payload) \).url' *AND* setTimeout *AND* atob\(
SourceCode SmartApeSG (injection) \/cdn\-vs\/get.php"><\/script>
SourceCode SmartApeSG (iframe) w.php\?reqtime= *AND* sAyOE
SourceCode SmartApeSG "\.zip"==[a-z]\.substr\(\-4\) *AND* "\.rar"==[a-z]\.substr\(\-4\) *AND* msSaveOrOpenBlob *AND* "buttondownload"\)\.onclick
Headers SmartApeSG2 (301 redirect) cdn3\-jquery\.info
URI SmartApeSG2 telotrace\.com\/ https://infosec.exchange/@GustyDusty/111176105257032772
URI SmartApeSG2 (payload) mamagoocha\.com\/
SourceCode ClearFake (injection) base64,YXN5bmMgZnVuY3 https://rmceoin.github.io/malware-analysis/clearfake/
SourceCode ClearFake (redirect1) const\sget_k_script=\(\)=>\{let
SourceCode ClearFake (redirect2) \["z\-index"\]="99999999999 *AND* remove_iframe=e
SourceCode ClearFake (redirect3) \/lander\/ *AND* fetch\(atob\(blank\)
URI ClearFake (landing) \/lander\/\w{5,30}\/_cf\.php$
URI ClearFake (download) \/download\/u36dqw\/action\.php\?name=
URI ClearFake (download Mac) \/File[0-9]{1,2}\/\w{21,30}$
SourceCode FakeUpdateRU getElementById\('downloadx'\) *AND* Engine *AND* \.zip';
SourceCode Keitaro TDS (^;\(function.*'\);$)
SourceCode FakeDomen domen *AND* detecct *AND* linkDesktop
## Social engineering (scams)
SourceCode Fake jQuery Campaign \\x73\\x6A\\x2E\\x79\\x72\\x65\\x75\\x71\\x6A\\x2 https://blog.sucuri.net/2017/04/wordpress-security-unwanted-redirects-via-infected-javascript-files.html
SourceCode LNKR Campaign lat\?jsonp=__[a-z]{3}_cb_[0-9]{9}&(#|amp)|addons\/lnkr30_nt\.min\.js https://twitter.com/baberpervez2/status/1194090555468394496?s=20
SourceCode (TechScam) document.getElementById\('map'\).innerHTML\s=\sstroka;|window\.location\.href\s=\s"\.\/systemerror\-win\-chx
SourceCode spectrepoint Campaign \/\*(spectrepoint|slectrepoint)\*\/\)\);\/\*!
SourceCode Google DNS injection (TSS) document\.write\(atob\("PHNjcmlwdD5 https://blog.sucuri.net/2023/08/from-google-dns-to-tech-support-scam-sites-unmasking-the-malware-trail.html
URI Google DNS redirect (TSS) ^https:\/\/dns.google\/resolve\?name=[\w\-\.]{10,60}tracker\-cloud\.com&type=txt
URI TechScam (DoubleClick) \/erxczzx
URI TechScam C0deJdfd008f\w{1,15}0\w{0,5}CH888Err(0|o)r8|\/systemerror\-win\-chx\/|\/systemerror\-win\-ff\/|\/systemerror\-ie\-edge\/
Hash TechScam 0589be7715d2320e559eae6bd26f3528e97450c70293da2e1e8ce45f77f99ab1|fc59bbb18f923747b9cd3f3b23537ff09c5ad2fdfc1505a4800a3f269a234e65
SourceCode VexTrio (injection) atob\('bC5qcy1hc3'
SourceCode VexTrio (injected site) document\.write\(String\.fromCharCode *AND* 97,112,105,54,52,46,105,112,105,102,121,46,111,114,103
URI VexTrio TDS \/min\.t\.\d{10}\.js\?v=\w{8}$
SourceCode VexTrio UTM (injection) utm_campaign=\w{44}&t=main9 https://infosec.exchange/@rmceoin/111500092637398831
URI VexTrio UTM TDS utm_campaign=\w{44}&t=main9 https://infosec.exchange/@rmceoin/111500092637398831
URI Redirect to TDS \/wp\-content\/counts\.php\?cat=1&t=o8\+CL
URI VexTrio UO u=7mkpd0d&o=ex5whk5
URI VexTrio UO (redirect payload) \/web\/\?sid=t[0-9]~\w{24}
SourceCode Balada injector (atob) \*\/atob; *AND* \*\/eval;\/\* https://blog.sucuri.net/2024/01/thousands-of-sites-with-popup-builder-compromised-by-balada-injector.html
URI Balada injector (infrastructure) specialcraftbox\.com|greenfastline\.com
URI Balada injector (json) base64eJyrVkrLzClJLVKyUqqOUc
SourceCode Balada injector (setitem) 7196643rGaMMg','setItem
## Magecart
SourceCode Magecart (CoffeMokko/Group8) lmcScr\("screen\-obj"|lmcScr\(_\$_|\/a\/g,_\$_\w{4}\[\d{2}\]\);(_0x\w{3,6}=\s_0x\w{3,6}|\w=\s?\w)\[_\$_\w{4}\[\d{2}\]\]\(\/h\/g,_\$_ https://blog.group-ib.com/coffemokko
SourceCode Magecart (FakeClicky) =','script','Y2hlY2tvdXQ=', https://twitter.com/GroupIB_GIB/status/1185237251762069504?s=20
SourceCode Magecart (Radix) 0a(0w){12} https://blog.sucuri.net/2019/03/more-on-dnsden-biz-swipers-and-radix-obfuscation.html
SourceCode Magecart (shell) \$AJegUupT= https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/
SourceCode Magecart (Bom) ,urll,true\)|;urll=\s_0x|\];function\sboms?\(\)|stats:btoa\(_0x|\]\](\(|=\s)_0x\w{1,8}(\[\d{1,2}\]|\))\}\}\}setInterval\( https://community.riskiq.com/article/743ea75b
SourceCode Magecart (recaptcha) window\["JSON"\]\["parse"\]\(window\["atob"\]\(\w{3,8}\.\w{3,8}\)\); https://twitter.com/sansecio/status/1445747878404583430?s=20
SourceCode Magecart (Magento 1.x) (\-text\/javascript">|<script>)var\sa0a=\[ https://antoinevastel.com/fraud/2020/09/20/analyzing-magento-skimmer.html
SourceCode Magecart (Inter kit) GetCCInfo:(\s|)function\(\) https://community.riskiq.com/article/30f22a00
SourceCode Magecart (img) http\.send\("data="\+snd\+"&asd="\+asd\); https://blog.sucuri.net/2017/01/database-and-image-tricks-in-magento-malware.html
SourceCode Magecart (Group3) \\x73\\x65\\x74\\x69\\x64\\x64 https://community.riskiq.com/projects/48b09759-49f9-c1a9-d1bb-dee04ae6155e
SourceCode Magecart (mr.Sniffa) var\seventsListenerPool\s=\sdocument.createElement\('script'\); https://twitter.com/MBThreatIntel/status/1268982125543387136?s=20
SourceCode Magecart (shoplift) \+inp\[i\]\.value\+['"]&['"] https://www.foregenix.com/blog/credit-card-hijack-magento-javascript-alert
SourceCode Magecart (clcl) onchange","clcl\(\)"\); https://twitter.com/rootprivilege/status/1326231381169512450?s=20
SourceCode Magecart (save img) dG9rZW58c2VhcmNofGNzZnJ8a2V5d29yZHxidXR0b24
SourceCode Magecart (cc_number) (\\)?x63(\\)?x63(\\)?x5[fF](\\)?x6E(\\)?x75(\\)?x6[dD](\\)?x62(\\)?x65(\\)?x72
SourceCode Magecart (Telegram) ctrlu=!\[\],ctrlshifti=!\[\]|ctrlu&&!ctrlshifti https://lukeleal.com/research/posts/magento2-skimmer-exfil-to-telegram/
SourceCode Magecart (cvv) Cvv:jQuery\(document\[_\$_
SourceCode Magecart (tagmanager source) \\"\smethod\\\\x3d\\"POST\\"
SourceCode Magecart (woff) g0\.ok https://blog.sucuri.net/2022/02/woocommerce-skimmer-uses-fake-fonts-and-favicon-to-steal-cc-details.html
SourceCode Magecart (css site) 'POST',decodeURIComponent\(escape\(\w{2,8}\)\),!0\);\w{2,8}\.send\(null\);\}
SourceCode Magecart (wss) _g0\[_cs https://twitter.com/unmaskparasites/status/1519784855730499585?s=20&t=ieMMJelaM8_chtNakBeD0g
SourceCode Magecart (CaramelCorp) \{mathBA\(\),mathCC\(\); https://www.domaintools.com/resources/blog/a-sticky-situation-part-1-the-pervasive-nature-of-credit-card-skimmers#
SourceCode Magecart (devtoolshex) \\x64\\x65\\x76\\x74\\x6F\\x6F\\x6C\\x73\\x63\\x68\\x61\\x6E\\x67\\x65
SourceCode Magecart (xcart) function\(s,m,e\)\{m=atob\(m\)\.split https://blog.sucuri.net/2022/05/x-cart-skimmer-with-dom-based-obfuscation.html
SourceCode Magecart (anti sandbox) ;var\so1,o2,o3,o4|var\sccn,nb_dd,nm_dd|atob\(dm_insight_ids\)|new\sself.Function\(atob\( https://blog.malwarebytes.com/threat-intelligence/2022/06/client-side-magecart-attacks-still-around-but-more-covert/
SourceCode Magecart (Magneto) xmlhttp\[_0x\w{4}\[[0-9]{2}\]\]\(_0x\w{6}\)\}\}\)\(\)\}|drt_script.parentNode.insertBefore https://twitter.com/MBThreatIntel/status/1171817639728934912
SourceCode Magecart (Base64 URL) atob\( *AND* bm94c2Vj
SourceCode Magecart (Base64 URL2) atob\( *AND* method:\s'POST'\} *AND* blob\(\)\)
SourceCode Magecart (Base64 URL3) atob\( *AND* 'Y2hlY2tvdX?Q=
SourceCode Magecart (Base64 URL4) atob\( *AND* W1siZmllbGQiL
SourceCode Magecart (devtools) devtools\.open *AND* \.test\(location\.href\)
SourceCode Magecart (ajax) action=heartbeat& *AND* billing *AND* wc\-authorize\-net\-cim https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-gateway-plugin.html
SourceCode Magecart (imagify) \\x23\\x62\\x69\\x6c\\x6c\\x69\\x6e\\x67\\x5f\\x6c *AND* \\x23\\x62\\x69\\x6c\\x6c\\x69\\x6e\\x67\\x5f\\x63
IP Magecart (Kritec) 195\.242\.110\.[0-9]{2,3} https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art
## Obfuscation
## CVEs
## Suspicious traffic
SourceCode Fingerprinting anti-VM (Base64) base64,ZnVuY3Rpb24gXzB4 https://www.malwarebytes.com/blog/threat-intelligence/2023/08/malvertisers-up-the-game-against-researchers
SourceCode Fingerprinting anti-VM <noscript>You\sneed *AND* getTimezoneOffset *AND* canPlayType *AND* video\/mp4 *AND* UNMASKED_RENDERER_WEBGL
IP Malvertising 89\.223\.67\.221
## C2s
## Misc
URI IP check api64\.ipify\.org\/
URI Google DNS lookup dns\.google\/resolve
##############################################################################
########################### END OF REGEXES ###################################
##############################################################################