Add files via upload

Regexes/MasterRegexes.txt

@@ -4,15 +4,15 @@
 ## or else your changes will be lost.
 ##############################################################################
 ## To report false positives, or contribute: https://github.com/malwareinfosec/EKFiddle
-## Last updated: 2024-01-11
+## Last updated: 2024-01-19
 
 ## Social engineering (malware)
 SourceCode	SocGholish (injected site)	src=\w{2}\('\w{11}\:\w\/\w\/	https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/
 SourceCode	SocGholish (injected site obfu)	%2F&#038;format=xml"\s\/>\n{2}<script>\(function\(\)\{\(?function
 SourceCode	SocGholish (injected site new format)	(window,document,'script','|async\ssrc=")http(s|):\/\/(?!www)[^.]([a-z0-9]+\.){2}[a-z]{2,10}\/[\w\/\+]{43}=
 SourceCode	SocGholish (injected site hex)	\["\\x73\\x63\\x72\\x69\\x70\\x74","\\x68 *AND* \\x61\\x73\\x79\\x6E\\x63
 SourceCode	TDS injection	\w{8}\.src\s= *AND* \.org\/\w{8}";
-URI	SocGholish	^http(s|):\/\/(?!www)[^.]([a-z]+\.(?!google)){2}[a-z]{2,10}\/(?![a-z]{5}\/)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*(=|\+))(?!.*(-|_|\.|%|\?|@|[a-z]{6}|[0-9]{6}|aHR0cHM|api|app)).{40,140}$
+URI	SocGholish	^http(s|):\/\/(?!www)[^.]([a-z]+\.(?!google)){2}[a-z]{2,10}\/(?![a-z]{5}\/)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*(=|\+))(?!.*(-|_|\.|%|\?|@|[a-z]{6}|[0-9]{6}|aHR0cHM|api|app)).{40,140}=
 URI	GootLoader (payload)	\/forum\.php\?[a-z]{3,15}=[a-z]{3,15}&[a-z]{3,20}=(?=.*[0-9])\w{50,200}&
 URI	sczriptzzbn (Campaign)	friscomusicgroup.com|xim.avistapp.co
 SourceCode	Gootloader (hacked site)	document\[\w{3,15}\[3\]\]=document\[\w{3,15}\[6\]\]\(\w{3,15}\[13\]\);	https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/
@@ -52,7 +52,10 @@ URI	VexTrio UTM TDS	utm_campaign=\w{44}&t=main9	https://infosec.exchange/@rmceoi
 URI	Redirect to TDS	\/wp-content\/counts\.php\?cat=1&t=o8\+CL
 URI	VexTrio UO	u=7mkpd0d&o=ex5whk5
 URI	VexTrio UO (redirect payload)	\/web\/\?sid=t[0-9]~\w{24}
-SourceCode	Balada injector	"sgpbWillOpen",\sfunction\(e\) *AND* popupId\s==
+SourceCode	Balada injector (atob)	\*\/atob; *AND* \*\/eval;\/\*	https://blog.sucuri.net/2024/01/thousands-of-sites-with-popup-builder-compromised-by-balada-injector.html
+URI	Balada injector (infrastructure)	specialcraftbox\.com|greenfastline\.com
+URI	Balada injector (json)	base64eJyrVkrLzClJLVKyUqqOUc
+SourceCode	Balada injector (setitem)	7196643rGaMMg','setItem
 
 ## Magecart
 SourceCode	Magecart (CoffeMokko/Group8)	lmcScr\("screen-obj"|lmcScr\(_\$_|\/a\/g,_\$_\w{4}\[\d{2}\]\);(_0x\w{3,6}=\s_0x\w{3,6}|\w=\s?\w)\[_\$_\w{4}\[\d{2}\]\]\(\/h\/g,_\$_	https://blog.group-ib.com/coffemokko

Regexes/RegexesVersion.info

@@ -1 +1 @@
-2024-01-11
+2024-01-19