From c5fc786539383c96fed27a725fae03f2ad1852b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Zaj=C4=85c?= <krzysztof.zajac@cert.pl>
Date: Tue, 23 Jan 2024 15:27:58 +0100
Subject: [PATCH 1/2] Detecting Balada Injector malware

---
 .../balada-injector-malware.yaml              | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 http/miscellaneous/balada-injector-malware.yaml

diff --git a/http/miscellaneous/balada-injector-malware.yaml b/http/miscellaneous/balada-injector-malware.yaml
new file mode 100644
index 0000000000..7af729a902
--- /dev/null
+++ b/http/miscellaneous/balada-injector-malware.yaml
@@ -0,0 +1,32 @@
+id: balada-injector-malware
+
+info:
+  name: Balada Injector Malware - Detect
+  author: kazet
+  severity: high
+  description: |
+    Checks websites for Balada Injector malware.
+  reference:
+    - https://blog.sucuri.net/2024/01/thousands-of-sites-with-popup-builder-compromised-by-balada-injector.html
+  metadata:
+    max-request: 1
+  tags: malware,balada,misc
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - '(?mi)sgpbWillOpen", function\(e\) {if \(e.detail.popupId.{0,100}eval.{0,100}atob'
+
+      - type: word
+        part: header
+        words:
+          - "text/html"

From c1f23c2dcd966d6f4091b7851437515cab661b1d Mon Sep 17 00:00:00 2001
From: kazet <krzysztof.zajac2@gmail.com>
Date: Tue, 23 Jan 2024 15:51:02 +0100
Subject: [PATCH 2/2] Update http/miscellaneous/balada-injector-malware.yaml

Co-authored-by: msm-cert <156842376+msm-cert@users.noreply.github.com>
---
 http/miscellaneous/balada-injector-malware.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/http/miscellaneous/balada-injector-malware.yaml b/http/miscellaneous/balada-injector-malware.yaml
index 7af729a902..d87a2c037c 100644
--- a/http/miscellaneous/balada-injector-malware.yaml
+++ b/http/miscellaneous/balada-injector-malware.yaml
@@ -24,7 +24,7 @@ http:
       - type: regex
         part: body
         regex:
-          - '(?mi)sgpbWillOpen", function\(e\) {if \(e.detail.popupId.{0,100}eval.{0,100}atob'
+          - '(?mi)sgpbWillOpen", *function\(e\) *{if *\(e[.]detail[.]popupId.{0,100}eval.{0,100}atob'
 
       - type: word
         part: header