-
Notifications
You must be signed in to change notification settings - Fork 131
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1296444
commit a86b1aa
Showing
1 changed file
with
117 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| ## Regular expressions master list created from public sources. | ||
| ############################# WARNING!!!! #################################### | ||
| ## Do not edit this file, use CustomRegexes.txt for your own regexes instead | ||
| ## or else your changes will be lost. | ||
| ############################################################################## | ||
| ## To report false positives, or contribute: https://github.com/malwareinfosec/EKFiddle | ||
| ## Last updated: 2024-03-01 | ||
|
|
||
| ## Social engineering (malware) | ||
| SourceCode SocGholish (injected site) src=\w{2}\('\w{11}\:\w\/\w\/ https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/ | ||
| SourceCode SocGholish (injected site obfu) %2F&format=xml"\s\/>\n{2}<script>\(function\(\)\{\(?function | ||
| SourceCode SocGholish (injected site new format) (window,document,'script','|async\ssrc=")http(s|):\/\/(?!www)[^.]([a-z0-9]+\.){2}[a-z]{2,10}\/[\w\/\+]{43}= | ||
| SourceCode SocGholish (injected site hex) \["\\x73\\x63\\x72\\x69\\x70\\x74","\\x68 *AND* \\x61\\x73\\x79\\x6E\\x63 | ||
| SourceCode TDS injection \w{8}\.src\s= *AND* \.org\/\w{8}"; | ||
| URI SocGholish ^http(s|):\/\/(?!www)[^.]([a-z]+\.(?!google)){2}[a-z]{2,10}\/(?![a-z]{5}\/)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*(=|\+))(?!.*(\-|_|\.|%|\?|@|[a-z]{6}|[0-9]{6}|aHR0cHM|api|app)).{40,140}= | ||
| URI GootLoader (payload) \/forum\.php\?[a-z]{3,15}=[a-z]{3,15}&[a-z]{3,20}=(?=.*[0-9])\w{50,200}& | ||
| URI sczriptzzbn (Campaign) friscomusicgroup.com|xim.avistapp.co | ||
| SourceCode Gootloader (hacked site) document\[\w{3,15}\[3\]\]=document\[\w{3,15}\[6\]\]\(\w{3,15}\[13\]\); https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/ | ||
| SourceCode sczriptzzbn sczriptzzbn.src\s=\s'https|page\-chrome\-title">You\sare\susing\san\solder\sversion\sof\sBrowser https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html | ||
| SourceCode Parrot TDS (NDSW) \(nds(w|j)===undefined\) https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html | ||
| SourceCode Parrot TDS (NDSW) new \((typeof )?nds[wj]==="?undefined"?\) | ||
| SourceCode Parrot TDS (NDSW) redirect var\sndsx\s=\strue.*script | ||
| SourceCode Parrot TDS (NDSW) cookie var\sndsx\s=\strue.*cookie | ||
| SourceCode FakeSG/RogueRaticate (compromised site) f=1135333 *AND* vhe;>heha https://www.malwarebytes.com/blog/threat-intelligence/2023/07/socgholish-copycat-delivers-netsupport-rat | ||
| SourceCode FakeSG/RogueRaticate (payload) \).url' *AND* setTimeout *AND* atob\( | ||
| SourceCode SmartApeSG (injection) \/cdn\-vs\/get.php"><\/script> | ||
| SourceCode SmartApeSG (iframe) w.php\?reqtime= *AND* sAyOE | ||
| SourceCode SmartApeSG "\.zip"==[a-z]\.substr\(\-4\) *AND* "\.rar"==[a-z]\.substr\(\-4\) *AND* msSaveOrOpenBlob *AND* "buttondownload"\)\.onclick | ||
| Headers SmartApeSG2 (301 redirect) cdn3\-jquery\.info | ||
| URI SmartApeSG2 telotrace\.com\/ https://infosec.exchange/@GustyDusty/111176105257032772 | ||
| URI SmartApeSG2 (payload) mamagoocha\.com\/ | ||
| SourceCode ClearFake (injection) base64,YXN5bmMgZnVuY3 https://rmceoin.github.io/malware-analysis/clearfake/ | ||
| SourceCode ClearFake (redirect1) const\sget_k_script=\(\)=>\{let | ||
| SourceCode ClearFake (redirect2) \["z\-index"\]="99999999999 *AND* remove_iframe=e | ||
| SourceCode ClearFake (redirect3) \/lander\/ *AND* fetch\(atob\(blank\) | ||
| URI ClearFake (landing) \/lander\/\w{5,30}\/_cf\.php$ | ||
| URI ClearFake (download) \/download\/u36dqw\/action\.php\?name= | ||
| URI ClearFake (download Mac) \/File[0-9]{1,2}\/\w{21,30}$ | ||
| SourceCode FakeUpdateRU getElementById\('downloadx'\) *AND* Engine *AND* \.zip'; | ||
|
|
||
| ## Social engineering (scams) | ||
| SourceCode Fake jQuery Campaign \\x73\\x6A\\x2E\\x79\\x72\\x65\\x75\\x71\\x6A\\x2 https://blog.sucuri.net/2017/04/wordpress-security-unwanted-redirects-via-infected-javascript-files.html | ||
| SourceCode LNKR Campaign lat\?jsonp=__[a-z]{3}_cb_[0-9]{9}&(#|amp)|addons\/lnkr30_nt\.min\.js https://twitter.com/baberpervez2/status/1194090555468394496?s=20 | ||
| SourceCode (TechScam) document.getElementById\('map'\).innerHTML\s=\sstroka;|window\.location\.href\s=\s"\.\/systemerror\-win\-chx | ||
| SourceCode spectrepoint Campaign \/\*(spectrepoint|slectrepoint)\*\/\)\);\/\*! | ||
| SourceCode Google DNS injection (TSS) document\.write\(atob\("PHNjcmlwdD5 https://blog.sucuri.net/2023/08/from-google-dns-to-tech-support-scam-sites-unmasking-the-malware-trail.html | ||
| URI Google DNS redirect (TSS) ^https:\/\/dns.google\/resolve\?name=[\w\-\.]{10,60}tracker\-cloud\.com&type=txt | ||
| URI TechScam (DoubleClick) \/erxczzx | ||
| URI TechScam C0deJdfd008f\w{1,15}0\w{0,5}CH888Err(0|o)r8|\/systemerror\-win\-chx\/|\/systemerror\-win\-ff\/|\/systemerror\-ie\-edge\/ | ||
| Hash TechScam 0589be7715d2320e559eae6bd26f3528e97450c70293da2e1e8ce45f77f99ab1|fc59bbb18f923747b9cd3f3b23537ff09c5ad2fdfc1505a4800a3f269a234e65 | ||
| SourceCode VexTrio (injection) atob\('bC5qcy1hc3' | ||
| SourceCode VexTrio (injected site) document\.write\(String\.fromCharCode *AND* 97,112,105,54,52,46,105,112,105,102,121,46,111,114,103 | ||
| URI VexTrio TDS \/min\.t\.\d{10}\.js\?v=\w{8}$ | ||
| SourceCode VexTrio UTM (injection) utm_campaign=\w{44}&t=main9 https://infosec.exchange/@rmceoin/111500092637398831 | ||
| URI VexTrio UTM TDS utm_campaign=\w{44}&t=main9 https://infosec.exchange/@rmceoin/111500092637398831 | ||
| URI Redirect to TDS \/wp\-content\/counts\.php\?cat=1&t=o8\+CL | ||
| URI VexTrio UO u=7mkpd0d&o=ex5whk5 | ||
| URI VexTrio UO (redirect payload) \/web\/\?sid=t[0-9]~\w{24} | ||
| SourceCode Balada injector (atob) \*\/atob; *AND* \*\/eval;\/\* https://blog.sucuri.net/2024/01/thousands-of-sites-with-popup-builder-compromised-by-balada-injector.html | ||
| URI Balada injector (infrastructure) specialcraftbox\.com|greenfastline\.com | ||
| URI Balada injector (json) base64eJyrVkrLzClJLVKyUqqOUc | ||
| SourceCode Balada injector (setitem) 7196643rGaMMg','setItem | ||
|
|
||
| ## Magecart | ||
| SourceCode Magecart (CoffeMokko/Group8) lmcScr\("screen\-obj"|lmcScr\(_\$_|\/a\/g,_\$_\w{4}\[\d{2}\]\);(_0x\w{3,6}=\s_0x\w{3,6}|\w=\s?\w)\[_\$_\w{4}\[\d{2}\]\]\(\/h\/g,_\$_ https://blog.group-ib.com/coffemokko | ||
| SourceCode Magecart (FakeClicky) =','script','Y2hlY2tvdXQ=', https://twitter.com/GroupIB_GIB/status/1185237251762069504?s=20 | ||
| SourceCode Magecart (Radix) 0a(0w){12} https://blog.sucuri.net/2019/03/more-on-dnsden-biz-swipers-and-radix-obfuscation.html | ||
| SourceCode Magecart (shell) \$AJegUupT= https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/ | ||
| SourceCode Magecart (Bom) ,urll,true\)|;urll=\s_0x|\];function\sboms?\(\)|stats:btoa\(_0x|\]\](\(|=\s)_0x\w{1,8}(\[\d{1,2}\]|\))\}\}\}setInterval\( https://community.riskiq.com/article/743ea75b | ||
| SourceCode Magecart (recaptcha) window\["JSON"\]\["parse"\]\(window\["atob"\]\(\w{3,8}\.\w{3,8}\)\); https://twitter.com/sansecio/status/1445747878404583430?s=20 | ||
| SourceCode Magecart (Magento 1.x) \(\-text\/javascript">|<script>)var\sa0a=\[ https://antoinevastel.com/fraud/2020/09/20/analyzing-magento-skimmer.html | ||
| SourceCode Magecart (Inter kit) GetCCInfo:(\s|)function\(\) https://community.riskiq.com/article/30f22a00 | ||
| SourceCode Magecart (img) http\.send\("data="\+snd\+"&asd="\+asd\); https://blog.sucuri.net/2017/01/database-and-image-tricks-in-magento-malware.html | ||
| SourceCode Magecart (Group3) \\x73\\x65\\x74\\x69\\x64\\x64 https://community.riskiq.com/projects/48b09759-49f9-c1a9-d1bb-dee04ae6155e | ||
| SourceCode Magecart (mr.Sniffa) var\seventsListenerPool\s=\sdocument.createElement\('script'\); https://twitter.com/MBThreatIntel/status/1268982125543387136?s=20 | ||
| SourceCode Magecart (shoplift) \+inp\[i\]\.value\+['"]&['"] https://www.foregenix.com/blog/credit-card-hijack-magento-javascript-alert | ||
| SourceCode Magecart (clcl) onchange","clcl\(\)"\); https://twitter.com/rootprivilege/status/1326231381169512450?s=20 | ||
| SourceCode Magecart (save img) dG9rZW58c2VhcmNofGNzZnJ8a2V5d29yZHxidXR0b24 | ||
| SourceCode Magecart (cc_number) (\\)?x63(\\)?x63(\\)?x5[fF](\\)?x6E(\\)?x75(\\)?x6[dD](\\)?x62(\\)?x65(\\)?x72 | ||
| SourceCode Magecart (Telegram) ctrlu=!\[\],ctrlshifti=!\[\]|ctrlu&&!ctrlshifti https://lukeleal.com/research/posts/magento2-skimmer-exfil-to-telegram/ | ||
| SourceCode Magecart (cvv) Cvv:jQuery\(document\[_\$_ | ||
| SourceCode Magecart (tagmanager source) \\"\smethod\\\\x3d\\"POST\\" | ||
| SourceCode Magecart (woff) g0\.ok https://blog.sucuri.net/2022/02/woocommerce-skimmer-uses-fake-fonts-and-favicon-to-steal-cc-details.html | ||
| SourceCode Magecart (css site) 'POST',decodeURIComponent\(escape\(\w{2,8}\)\),!0\);\w{2,8}\.send\(null\);\} | ||
| SourceCode Magecart (wss) _g0\[_cs https://twitter.com/unmaskparasites/status/1519784855730499585?s=20&t=ieMMJelaM8_chtNakBeD0g | ||
| SourceCode Magecart (CaramelCorp) \{mathBA\(\),mathCC\(\); https://www.domaintools.com/resources/blog/a-sticky-situation-part-1-the-pervasive-nature-of-credit-card-skimmers# | ||
| SourceCode Magecart (devtoolshex) \\x64\\x65\\x76\\x74\\x6F\\x6F\\x6C\\x73\\x63\\x68\\x61\\x6E\\x67\\x65 | ||
| SourceCode Magecart (xcart) function\(s,m,e\)\{m=atob\(m\)\.split https://blog.sucuri.net/2022/05/x-cart-skimmer-with-dom-based-obfuscation.html | ||
| SourceCode Magecart (anti sandbox) ;var\so1,o2,o3,o4|var\sccn,nb_dd,nm_dd|atob\(dm_insight_ids\)|new\sself.Function\(atob\( https://blog.malwarebytes.com/threat-intelligence/2022/06/client-side-magecart-attacks-still-around-but-more-covert/ | ||
| SourceCode Magecart (Magneto) xmlhttp\[_0x\w{4}\[[0-9]{2}\]\]\(_0x\w{6}\)\}\}\)\(\)\}|drt_script.parentNode.insertBefore https://twitter.com/MBThreatIntel/status/1171817639728934912 | ||
| SourceCode Magecart (Base64 URL) atob\( *AND* bm94c2Vj | ||
| SourceCode Magecart (Base64 URL2) atob\( *AND* method:\s'POST'\} *AND* blob\(\)\) | ||
| SourceCode Magecart (Base64 URL3) atob\( *AND* 'Y2hlY2tvdX?Q= | ||
| SourceCode Magecart (Base64 URL4) atob\( *AND* W1siZmllbGQiL | ||
| SourceCode Magecart (devtools) devtools\.open *AND* \.test\(location\.href\) | ||
| SourceCode Magecart (ajax) action=heartbeat& *AND* billing *AND* wc\-authorize\-net\-cim https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-gateway-plugin.html | ||
| SourceCode Magecart (imagify) \\x23\\x62\\x69\\x6c\\x6c\\x69\\x6e\\x67\\x5f\\x6c *AND* \\x23\\x62\\x69\\x6c\\x6c\\x69\\x6e\\x67\\x5f\\x63 | ||
| IP Magecart (Kritec) 195\.242\.110\.[0-9]{2,3} https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art | ||
|
|
||
| ## Obfuscation | ||
|
|
||
| ## CVEs | ||
|
|
||
| ## Suspicious traffic | ||
| SourceCode Fingerprinting anti-VM (Base64) base64,ZnVuY3Rpb24gXzB4 https://www.malwarebytes.com/blog/threat-intelligence/2023/08/malvertisers-up-the-game-against-researchers | ||
| SourceCode Fingerprinting anti-VM <noscript>You\sneed *AND* getTimezoneOffset *AND* canPlayType *AND* video\/mp4 *AND* UNMASKED_RENDERER_WEBGL | ||
| IP Malvertising 89\.223\.67\.221 | ||
|
|
||
| ## C2s | ||
|
|
||
| ## Misc | ||
| URI IP check api64\.ipify\.org\/ | ||
| URI Google DNS lookup dns\.google\/resolve | ||
|
|
||
| ############################################################################## | ||
| ########################### END OF REGEXES ################################### | ||
| ############################################################################## |