paralax/magecart.yar

## magecart.yar
rule magecart
{
    meta:
        description = "This rule screens web pages to look for Magecart in script tag sources"
        thread_level = 3
        in_the_wild = true

	strings:
		$scriptopen = "<script "
		$scriptclose = "</script>"
		$d1 = "magesecuritys.com"
		$d2 = "magescripts.pw"
		$d3 = "js-cloud.com"
		$d4 = "cdnmage.com"
		$d5 = "cdnassels.com"
		$d6 = "mypiltow.com"
		$d7 = "configsysrc.info"
		$d8 = "cmytuok.top"
		$d9 = "mcloudjs.com"
		$d10 = "magejavascripts.com"
		$d11 = "www.js-cloud.com"
		$d12 = "www.cdnmage.com"
		$d13 = "www.magescripts.pw"
		$d14 = "secure.livechatinc.org"

	condition:
		for any i in (1..#scriptopen) : any of ($d*) in (@scriptopen[i]..@scriptclose[i])
}
	rule magecart
	{
	meta:
	description = "This rule screens web pages to look for Magecart in script tag sources"
	thread_level = 3
	in_the_wild = true

	strings:
	$scriptopen = "<script "
	$scriptclose = "</script>"
	$d1 = "magesecuritys.com"
	$d2 = "magescripts.pw"
	$d3 = "js-cloud.com"
	$d4 = "cdnmage.com"
	$d5 = "cdnassels.com"
	$d6 = "mypiltow.com"
	$d7 = "configsysrc.info"
	$d8 = "cmytuok.top"
	$d9 = "mcloudjs.com"
	$d10 = "magejavascripts.com"
	$d11 = "www.js-cloud.com"
	$d12 = "www.cdnmage.com"
	$d13 = "www.magescripts.pw"
	$d14 = "secure.livechatinc.org"

	condition:
	for any i in (1..#scriptopen) : any of ($d*) in (@scriptopen[i]..@scriptclose[i])
	}