nuclei-templates/http/miscellaneous/crypto-mining-malware.yaml

43 lines
1.4 KiB
YAML

id: crypto-mining-malware
info:
name: Crypto Mining Malware - Detect
author: geeknik
severity: info
description: |
Checks websites for crypto-mining malware.
reference:
- https://github.com/xd4rker/MinerBlock/blob/master/assets/filters.txt
tags: malware,crypto,mining,misc
http:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- '(?mi)cryptonight\.wasm|deepMiner|proxy\=ws|coinhive\.min\.js|wpupdates\.github\.io\/ping|cryptonight\.asm\.js|coin-hive\.com|jsecoin\.com|cryptoloot\.pro'
- '(?mi)webassembly\.stream|monero\-miner|wasmminer|cn\-asmjs\.min\.js|aj(\-?)cryptominer|wp\-monero\-miner\-pro|crlt\.js|pool\/direct\.js|n\.2\.1\.(js|l.*)'
- '(?mi)ppoi\.org|xmrstudio|webmine\.pro|miner\.start|allfontshere\.press|upgraderservices\.cf|vuuwd\.com|gridcash\.js|worker\-asmjs\.min\.js|perfekt\=wss\:'
- '(?mi)coin\-hive\.com|coinhive|CoinHive|miner\.start|me0w\.js|web(x?)mr(4?)\.js|miner\.js|static\/js\/tpb\.js|lib\/crypta\.js'
- '(?mi)bitrix\/js\/main\/core\/core\_(tasker|loader)\.js'
condition: or
- type: word
part: header
words:
- "text/html"
- type: word
part: body
words:
- "<title>Access Denied</title>"
- "You don't have permission to access"
condition: or
negative: true