Sneed-Reactivity/yara-mikesxrs/Volexity/web_js_xeskimmer.yar

34 lines
1.2 KiB
Text
Raw Permalink Normal View History

rule web_js_xeskimmer : XEGroup
{
meta:
author = "threatintel@volexity.com"
description = "Detects JScript code using in skimming credit card details."
date = "2021-11-17"
hash1 = "92f9593cfa0a28951cae36755d54de63631377f1b954a4cb0474fa0b6193c537"
reference1 = "https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/"
reference2 = "https://github.com/MBThreatIntel/skimmers/blob/master/null_gif_skimmer.js"
reference3 = "https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/"
memory_suitable = 0
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
strings:
$s1 = ".match(/^([3456]\\d{14,15})$/g" ascii
$s2 = "^(p(wd|ass(code|wd|word)))" ascii
$b1 = "c('686569676874')" ascii
$b2 = "c('7769647468')" ascii
$c1 = "('696D67')" ascii
$c2 = "('737263')" ascii
$magic = "d=c.charCodeAt(b),a+=d.toString(16);"
condition:
all of ($s*) or
all of ($b*) or
all of ($c*) or
$magic
}