33 lines
1.2 KiB
Text
33 lines
1.2 KiB
Text
rule web_js_xeskimmer : XEGroup
|
|
{
|
|
meta:
|
|
author = "threatintel@volexity.com"
|
|
description = "Detects JScript code using in skimming credit card details."
|
|
date = "2021-11-17"
|
|
hash1 = "92f9593cfa0a28951cae36755d54de63631377f1b954a4cb0474fa0b6193c537"
|
|
reference1 = "https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/"
|
|
reference2 = "https://github.com/MBThreatIntel/skimmers/blob/master/null_gif_skimmer.js"
|
|
reference3 = "https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/"
|
|
memory_suitable = 0
|
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
|
|
|
strings:
|
|
$s1 = ".match(/^([3456]\\d{14,15})$/g" ascii
|
|
$s2 = "^(p(wd|ass(code|wd|word)))" ascii
|
|
|
|
$b1 = "c('686569676874')" ascii
|
|
$b2 = "c('7769647468')" ascii
|
|
|
|
$c1 = "('696D67')" ascii
|
|
$c2 = "('737263')" ascii
|
|
|
|
$magic = "d=c.charCodeAt(b),a+=d.toString(16);"
|
|
|
|
condition:
|
|
all of ($s*) or
|
|
all of ($b*) or
|
|
all of ($c*) or
|
|
$magic
|
|
}
|
|
|
|
|