diff --git a/PK_1and1_Ionos_mademen.yar b/PK_1and1_Ionos_mademen.yar new file mode 100644 index 0000000..8f4100a --- /dev/null +++ b/PK_1and1_Ionos_mademen.yar @@ -0,0 +1,30 @@ +rule PK_1and1_Ionos_mademen : one_and_one +{ + meta: + description = "Phishing Kit impersonating IONOS by 1and1" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-08-13" + comment = "Phishing Kit - IONOS - 'MADEMEN CYBER TEAM'" + + strings: + // the zipfile working on + $zip_file = { 50 4b 03 04 } + // specific directory found in PhishingKit + $spec_dir = "demo_files" + // specific file found in PhishingKit + $spec_file = "demp.php" + $spec_file2 = "go.php" + $spec_file3 = "err.php" + $spec_file4 = "load.php" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + // make sure we have a local file header + $zip_file and + all of ($spec_dir*) and + // check for file + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_1and1_Ionos_onlyone.yar b/PK_1and1_Ionos_onlyone.yar new file mode 100644 index 0000000..a72a2af --- /dev/null +++ b/PK_1and1_Ionos_onlyone.yar @@ -0,0 +1,31 @@ +rule PK_1and1_Ionos_onlyone : one_and_one +{ + meta: + description = "Phishing Kit impersonating IONOS by 1and1" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-08-12" + comment = "Phishing Kit - 1and1 - 'By The Only One'" + + strings: + // the zipfile working on + $zip_file = { 50 4b 03 04 } + // specific directory found in PhishingKit + $spec_dir = "img" + $spec_dir2 = ".well-known" + // specific file found in PhishingKit + $spec_file = "inpagelayer.css" + $spec_file2 = "apple-touch-icon.png" + $spec_file3 = "index.html" + $spec_file4 = "login.php" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + // make sure we have a local file header + $zip_file and + all of ($spec_dir*) and + // check for file + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_ATT_dammy.yar b/PK_ATT_dammy.yar new file mode 100644 index 0000000..9271401 --- /dev/null +++ b/PK_ATT_dammy.yar @@ -0,0 +1,26 @@ +rule PK_ATT_dammy : ATandT +{ + meta: + description = "Phishing Kit impersonating ATandT" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-08-12" + comment = "Phishing Kit - ATandT - 'Hacked By Opa Dammy'" + + strings: + // the zipfile working on + $zip_file = { 50 4b 03 04 } + // specific file found in PhishingKit + $spec_file = "Team.php" + $spec_file2 = "Indexxatt.htm" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + // make sure we have a local file header + $zip_file and + // check for file + $spec_file and + $spec_file2 +} \ No newline at end of file diff --git a/PK_AdobePDF_venza2.yar b/PK_AdobePDF_venza2.yar new file mode 100644 index 0000000..0f82e63 --- /dev/null +++ b/PK_AdobePDF_venza2.yar @@ -0,0 +1,33 @@ +rule PK_AdobePDF_venza2 : Adobe +{ + meta: + description = "Phishing Kit impersonating Adobe PDF Online" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-08-13" + comment = "Phishing Kit - Adobe PDF Online - 'cReAtEd By VeNzA'" + + strings: + // the zipfile working on + $zip_file = { 50 4b 03 04 } + // specific directory found in PhishingKit + $spec_dir = "css" + $spec_dir1 = "images" + // specific file found in PhishingKit + $spec_file = "next.php" + $spec_file2 = "index.php" + $spec_file3 = "office3651.png" + $spec_file4 = "sharepoint-portals.svg" + $spec_file5 = "demo-page.css" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + // make sure we have a local file header + $zip_file and + all of ($spec_dir*) and + // check for file + all of ($spec_file*) +} + diff --git a/PK_Amazon_xbalti.yar b/PK_Amazon_xbalti.yar new file mode 100644 index 0000000..f566069 --- /dev/null +++ b/PK_Amazon_xbalti.yar @@ -0,0 +1,26 @@ +rule PK_Amazon_xbalti : Amazon +{ + meta: + description = "Phishing Kit impersonating Amazon" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-08-11" + comment = "Phishing Kit - Amazon - 'BY XBALTI'" + + strings: + $zip_file = { 50 4b 03 04 } + $spec_dir = "XBALTI" + $spec_dir1 = "amazon" + $spec_file1 = "rezulta.php" + $spec_file2 = "check_bin.php" + $spec_file3 = "send_billing.php" + $spec_file4 = "antibots.php" + + condition: + uint32(0) == 0x04034b50 and + $zip_file and + all of ($spec_dir*) and + // check for file + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_Amex_codewizard.yar b/PK_Amex_codewizard.yar new file mode 100644 index 0000000..81950a6 --- /dev/null +++ b/PK_Amex_codewizard.yar @@ -0,0 +1,25 @@ +rule PK_Amex_codewizard : Amex +{ + meta: + description = "Phishing Kit impersonating American Express" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-08-12" + comment = "Phishing Kit - Amex - '=+Codewizard+='" + + strings: + $zip_file = { 50 4b 03 04 } + $spec_dir = "home" + $spec_file1 = "mm1.php" + $spec_file2 = "v.php" + $spec_file3 = "email2.php" + $spec_file4 = "enc.php" + + condition: + uint32(0) == 0x04034b50 and + $zip_file and + $spec_dir and + // check for file + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_BanquePostale_money.yar b/PK_BanquePostale_money.yar new file mode 100644 index 0000000..b75fb5d --- /dev/null +++ b/PK_BanquePostale_money.yar @@ -0,0 +1,31 @@ +rule PK_BanquePostale_money : Banque Postale +{ + meta: + description = "Phishing Kit impersonating la Banque Postale" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-08-12" + comment = "Phishing kit - Banque Postale - 'From: '" + + strings: + // the zipfile working on + $zip_file = { 50 4b 03 04 } + // specific directory found in PhishingKit + $spec_dir = "config" + $spec_dir1 = "data" + // specific file found in PhishingKit + $spec_file = "trans.php" + $spec_file2 = "funcs.php" + $spec_file3 = "settings.php" + $spec_file4 = "cle-digitale.html" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + // make sure we have a local file header + $zip_file and + all of ($spec_dir*) and + // check for file + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_MWeb_pak.yar b/PK_MWeb_pak.yar new file mode 100644 index 0000000..076da02 --- /dev/null +++ b/PK_MWeb_pak.yar @@ -0,0 +1,31 @@ +rule PK_MWeb_pak : MWeb +{ + meta: + description = "Phishing Kit impersonating MWeb" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-08-12" + comment = "Phishing kit - MWeb - presence of a pakistani ip address in source code" + + strings: + // the zipfile working on + $zip_file = { 50 4b 03 04 } + // specific directory found in PhishingKit + $spec_dir = "includes" + $spec_dir1 = "store" + // specific file found in PhishingKit + $spec_file = "config.php" + $spec_file2 = "user_details.php" + $spec_file3 = "mweb-custom.css" + $spec_file4 = "mweb-logo-2020-white.png" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + // make sure we have a local file header + $zip_file and + all of ($spec_dir*) and + // check for file + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_Netease_papaz.yar b/PK_Netease_papaz.yar new file mode 100644 index 0000000..a986cfb --- /dev/null +++ b/PK_Netease_papaz.yar @@ -0,0 +1,25 @@ +rule PK_Netease_papaz : Netease +{ + meta: + description = "Phishing Kit impersonating Netease 163.com" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-08-12" + comment = "Phishing Kit - qiye.163.com - 'PAPAZ & SON'" + + strings: + $zip_file = { 50 4b 03 04 } + $spec_dir = "img" + $spec_file1 = "bizmail1.php" + $spec_file2 = "next1.php" + $spec_file3 = "bizmail.php" + $spec_file4 = "qiyes.png" + + condition: + uint32(0) == 0x04034b50 and + $zip_file and + $spec_dir and + // check for file + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_O365_codespirit.yar b/PK_O365_codespirit.yar new file mode 100644 index 0000000..56f827d --- /dev/null +++ b/PK_O365_codespirit.yar @@ -0,0 +1,27 @@ +rule PK_O365_codespirit : Office365 +{ + meta: + description = "Phishing Kit impersonating Office 365" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-08-13" + comment = "Phishing Kit - O365 - 'Created in CODE~SPIRIT'" + + strings: + // the zipfile working on + $zip_file = { 50 4b 03 04 } + // specific files found in PhishingKit + $spec_file = "ind.php" + $spec_file2 = "rst.htm" + $spec_file3 = "index.html" + $spec_file4 = "n.php" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + // make sure we have a local file header + $zip_file and + // check for file + all of ($spec_file*) +} \ No newline at end of file