forked from t4d/PhishingKit-Yara-Rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
220 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| rule PK_BT_rydox : BT | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating BT Business" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-29" | ||
| comment = "Phishing Kit - BT Business - 'Rydox.CC Coding'" | ||
|
|
||
| strings: | ||
| $zip_file = { 50 4b 03 04 } | ||
| $spec_dir = "img" | ||
| $spec_file1 = "app.css" | ||
| $spec_file2 = "search.svg" | ||
| $spec_file3 = "login2.php" | ||
| $spec_file4 = "index2.php" | ||
| condition: | ||
| uint32(0) == 0x04034b50 and | ||
| $zip_file and | ||
| $spec_dir and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| rule PK_Chase_Xbaltiv3 : Chase | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating Chase bank" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "https://stalkphish.com/2021/04/22/scammer_vs_scammer_backdoored_phishing_kit/" | ||
| date = "2021-04-21" | ||
| comment = "Phishing Kit - Chase Bank - XBalti V3" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $local_file = { 50 4b 03 04 } | ||
| // specific directory found in PhishingKit | ||
| $spec_dir = "XBALTI" | ||
| // specific files found in PhishingKit | ||
| $spec_file = "desktopnight.jpeg" | ||
| $spec_file2 = "lostyle.css" | ||
| $spec_file3 = "Email.php" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| $local_file and | ||
| $spec_dir and | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| rule PK_Chronopost_dch : Chronopost | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating Chronopost" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-28" | ||
| comment = "Phishing Kit - Chronopost - 'DCH Coder'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $local_file = { 50 4b 03 04 } | ||
| // specific directory found in PhishingKit | ||
| $spec_dir = "sourceApp" | ||
| // specific files found in PhishingKit | ||
| $spec_file = "chronopost_tours_03712200_113425863.jpg" | ||
| $spec_file1 = "remettions.php" | ||
| $spec_file2 = "engagement.php" | ||
| $spec_file3 = "funciones.php" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| $local_file and | ||
| $spec_dir and | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| rule PK_EarthLink_33flow : EarthLink | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating EarthLink" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-22" | ||
| comment = "Phishing Kit - EarthLink - 'Created in 2020 [ Don 33flow ]'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific directory found in PhishingKit | ||
| $spec_dir = "imgs" | ||
| // specific file found in PhishingKit | ||
| $spec_file = "delete.php" | ||
| $spec_file2 = "_+--_=_.php" | ||
| $spec_file3 = "elnk_logo.png" | ||
| $spec_file4 = "_=+---+_=.html" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| $spec_dir and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| rule PK_HSBC_payee : HSBC | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating HSBC" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-29" | ||
| comment = "Phishing Kit - HSBC - deployed on many domains containing 'payee' string" | ||
|
|
||
| strings: | ||
| $zip_file = { 50 4b 03 04 } | ||
| $spec_dir = "admin" | ||
| $spec_dir2 = "security.hsbc" | ||
| $spec_file1 = "rec.php" | ||
| $spec_file2 = "installerdb.php" | ||
| $spec_file3 = "idv.PayeeReq.php" | ||
| $spec_file4 = "idv.Verifying.php" | ||
| condition: | ||
| uint32(0) == 0x04034b50 and | ||
| $zip_file and | ||
| all of ($spec_dir*) and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| rule PK_Multi_mumu | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating Several brands (hotmail, hanmail, 163, AE, ...)" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-31" | ||
| comment = "Phishing Kit - Multiple - found mailing-list called mumu*.txt" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific directory found in PhishingKit | ||
| $spec_dir = "image" | ||
| // specific file found in PhishingKit | ||
| $spec_file = "process.php" | ||
| $spec_file2 = "naver.php" | ||
| $spec_file3 = "rediff.php" | ||
| $spec_file4 = "sp_btn_20140615.png" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| // check for file | ||
| $spec_dir and | ||
| all of ($spec_file*) | ||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| rule PK_OneDrive_venza : OneDrive | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating OneDrive" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-27" | ||
| comment = "Phishing Kit - OneDrive - 'CrEaTeD bY VeNzA'" | ||
|
|
||
| strings: | ||
| $zip_file = { 50 4b 03 04 } | ||
| $spec_file1 = "email.php" | ||
| $spec_file2 = "next.php" | ||
| $spec_file3 = "1.png" | ||
| $spec_file4 = "1.html" | ||
| condition: | ||
| uint32(0) == 0x04034b50 and | ||
| $zip_file and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| rule PK_WeTransfer_shevi : WeTransfer | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating WeTransfer" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-28" | ||
| comment = "Phishing Kit - WeTransfer - 'WEtransfer Logx CoDeD By Shevi'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific directory found in PhishingKit | ||
| $spec_dir = "cgi" | ||
| // specific file found in PhishingKit | ||
| $spec_file = "loading.php" | ||
| $spec_file1 = "loading.php" | ||
| $spec_file2 = "timeout.php" | ||
| $spec_file3 = "login6.php" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| // check for file | ||
| $spec_dir and | ||
| all of ($spec_file*) | ||
| } |