From 5d1013649d8a6ae2f422caff3de05e82dbee7324 Mon Sep 17 00:00:00 2001 From: t4d Date: Thu, 29 Apr 2021 21:42:19 +0200 Subject: [PATCH] Rules 20210429 --- PK_BT_rydox.yar | 25 +++++++++++++++++++++++++ PK_Chase_Xbaltiv3.yar | 27 +++++++++++++++++++++++++++ PK_Chronopost_dch.yar | 28 ++++++++++++++++++++++++++++ PK_EarthLink_33flow.yar | 30 ++++++++++++++++++++++++++++++ PK_HSBC_payee.yar | 26 ++++++++++++++++++++++++++ PK_Multi_mumu.yar | 31 +++++++++++++++++++++++++++++++ PK_OneDrive_venza.yar | 23 +++++++++++++++++++++++ PK_WeTransfer_shevi.yar | 30 ++++++++++++++++++++++++++++++ 8 files changed, 220 insertions(+) create mode 100644 PK_BT_rydox.yar create mode 100644 PK_Chase_Xbaltiv3.yar create mode 100644 PK_Chronopost_dch.yar create mode 100644 PK_EarthLink_33flow.yar create mode 100644 PK_HSBC_payee.yar create mode 100644 PK_Multi_mumu.yar create mode 100644 PK_OneDrive_venza.yar create mode 100644 PK_WeTransfer_shevi.yar diff --git a/PK_BT_rydox.yar b/PK_BT_rydox.yar new file mode 100644 index 0000000..02482df --- /dev/null +++ b/PK_BT_rydox.yar @@ -0,0 +1,25 @@ +rule PK_BT_rydox : BT +{ + meta: + description = "Phishing Kit impersonating BT Business" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-04-29" + comment = "Phishing Kit - BT Business - 'Rydox.CC Coding'" + + strings: + $zip_file = { 50 4b 03 04 } + $spec_dir = "img" + $spec_file1 = "app.css" + $spec_file2 = "search.svg" + $spec_file3 = "login2.php" + $spec_file4 = "index2.php" + + condition: + uint32(0) == 0x04034b50 and + $zip_file and + $spec_dir and + // check for file + all of ($spec_file*) +} diff --git a/PK_Chase_Xbaltiv3.yar b/PK_Chase_Xbaltiv3.yar new file mode 100644 index 0000000..4303f1f --- /dev/null +++ b/PK_Chase_Xbaltiv3.yar @@ -0,0 +1,27 @@ +rule PK_Chase_Xbaltiv3 : Chase +{ + meta: + description = "Phishing Kit impersonating Chase bank" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "https://stalkphish.com/2021/04/22/scammer_vs_scammer_backdoored_phishing_kit/" + date = "2021-04-21" + comment = "Phishing Kit - Chase Bank - XBalti V3" + + strings: + // the zipfile working on + $local_file = { 50 4b 03 04 } + // specific directory found in PhishingKit + $spec_dir = "XBALTI" + // specific files found in PhishingKit + $spec_file = "desktopnight.jpeg" + $spec_file2 = "lostyle.css" + $spec_file3 = "Email.php" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + $local_file and + $spec_dir and + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_Chronopost_dch.yar b/PK_Chronopost_dch.yar new file mode 100644 index 0000000..e09e39d --- /dev/null +++ b/PK_Chronopost_dch.yar @@ -0,0 +1,28 @@ +rule PK_Chronopost_dch : Chronopost +{ + meta: + description = "Phishing Kit impersonating Chronopost" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-04-28" + comment = "Phishing Kit - Chronopost - 'DCH Coder'" + + strings: + // the zipfile working on + $local_file = { 50 4b 03 04 } + // specific directory found in PhishingKit + $spec_dir = "sourceApp" + // specific files found in PhishingKit + $spec_file = "chronopost_tours_03712200_113425863.jpg" + $spec_file1 = "remettions.php" + $spec_file2 = "engagement.php" + $spec_file3 = "funciones.php" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + $local_file and + $spec_dir and + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_EarthLink_33flow.yar b/PK_EarthLink_33flow.yar new file mode 100644 index 0000000..59293ca --- /dev/null +++ b/PK_EarthLink_33flow.yar @@ -0,0 +1,30 @@ +rule PK_EarthLink_33flow : EarthLink +{ + meta: + description = "Phishing Kit impersonating EarthLink" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-04-22" + comment = "Phishing Kit - EarthLink - 'Created in 2020 [ Don 33flow ]'" + + strings: + // the zipfile working on + $zip_file = { 50 4b 03 04 } + // specific directory found in PhishingKit + $spec_dir = "imgs" + // specific file found in PhishingKit + $spec_file = "delete.php" + $spec_file2 = "_+--_=_.php" + $spec_file3 = "elnk_logo.png" + $spec_file4 = "_=+---+_=.html" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + // make sure we have a local file header + $zip_file and + $spec_dir and + // check for file + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_HSBC_payee.yar b/PK_HSBC_payee.yar new file mode 100644 index 0000000..44688f5 --- /dev/null +++ b/PK_HSBC_payee.yar @@ -0,0 +1,26 @@ +rule PK_HSBC_payee : HSBC +{ + meta: + description = "Phishing Kit impersonating HSBC" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-04-29" + comment = "Phishing Kit - HSBC - deployed on many domains containing 'payee' string" + + strings: + $zip_file = { 50 4b 03 04 } + $spec_dir = "admin" + $spec_dir2 = "security.hsbc" + $spec_file1 = "rec.php" + $spec_file2 = "installerdb.php" + $spec_file3 = "idv.PayeeReq.php" + $spec_file4 = "idv.Verifying.php" + + condition: + uint32(0) == 0x04034b50 and + $zip_file and + all of ($spec_dir*) and + // check for file + all of ($spec_file*) +} diff --git a/PK_Multi_mumu.yar b/PK_Multi_mumu.yar new file mode 100644 index 0000000..6da9b06 --- /dev/null +++ b/PK_Multi_mumu.yar @@ -0,0 +1,31 @@ +rule PK_Multi_mumu +{ + meta: + description = "Phishing Kit impersonating Several brands (hotmail, hanmail, 163, AE, ...)" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-04-31" + comment = "Phishing Kit - Multiple - found mailing-list called mumu*.txt" + + strings: + // the zipfile working on + $zip_file = { 50 4b 03 04 } + // specific directory found in PhishingKit + $spec_dir = "image" + // specific file found in PhishingKit + $spec_file = "process.php" + $spec_file2 = "naver.php" + $spec_file3 = "rediff.php" + $spec_file4 = "sp_btn_20140615.png" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + // make sure we have a local file header + $zip_file and + // check for file + $spec_dir and + all of ($spec_file*) +} + diff --git a/PK_OneDrive_venza.yar b/PK_OneDrive_venza.yar new file mode 100644 index 0000000..7344d3e --- /dev/null +++ b/PK_OneDrive_venza.yar @@ -0,0 +1,23 @@ +rule PK_OneDrive_venza : OneDrive +{ + meta: + description = "Phishing Kit impersonating OneDrive" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-04-27" + comment = "Phishing Kit - OneDrive - 'CrEaTeD bY VeNzA'" + + strings: + $zip_file = { 50 4b 03 04 } + $spec_file1 = "email.php" + $spec_file2 = "next.php" + $spec_file3 = "1.png" + $spec_file4 = "1.html" + + condition: + uint32(0) == 0x04034b50 and + $zip_file and + // check for file + all of ($spec_file*) +} \ No newline at end of file diff --git a/PK_WeTransfer_shevi.yar b/PK_WeTransfer_shevi.yar new file mode 100644 index 0000000..2a556a6 --- /dev/null +++ b/PK_WeTransfer_shevi.yar @@ -0,0 +1,30 @@ +rule PK_WeTransfer_shevi : WeTransfer +{ + meta: + description = "Phishing Kit impersonating WeTransfer" + licence = "GPL-3.0" + author = "Thomas 'tAd' Damonneville" + reference = "" + date = "2021-04-28" + comment = "Phishing Kit - WeTransfer - 'WEtransfer Logx CoDeD By Shevi'" + + strings: + // the zipfile working on + $zip_file = { 50 4b 03 04 } + // specific directory found in PhishingKit + $spec_dir = "cgi" + // specific file found in PhishingKit + $spec_file = "loading.php" + $spec_file1 = "loading.php" + $spec_file2 = "timeout.php" + $spec_file3 = "login6.php" + + condition: + // look for the ZIP header + uint32(0) == 0x04034b50 and + // make sure we have a local file header + $zip_file and + // check for file + $spec_dir and + all of ($spec_file*) +} \ No newline at end of file