/
PK_KFCU_weebee.yar
31 lines (29 loc) · 952 Bytes
/
PK_KFCU_weebee.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
rule PK_KFCU_weebee : KFCU
{
meta:
description = "Phishing Kit impersonating Keesler Federal Credit Union"
licence = "GPL-3.0"
author = "Thomas 'tAd' Damonneville"
reference = ""
date = "2022-08-02"
comment = "Phishing Kit - KFCU - 'MRWEEBEE | KEESLER FCU'"
strings:
// the zipfile working on
$local_file = { 50 4b 03 04 }
// specific directory found in PhishingKit
$spec_dir = "settings"
$spec_dir2 = "process"
$spec_dir3 = "ses"
// specific files found in PhishingKit
$spec_file = "session_emma.php"
$spec_file2 = "78MhStYkx0gUYL4m.php"
$spec_file3 = "ref.php"
$spec_file4 = "verify_session_card.php"
$spec_file5 = "MobileLogo.png"
condition:
// look for the ZIP header
uint32(0) == 0x04034b50 and
$local_file and
all of ($spec_dir*) and
all of ($spec_file*)
}