Class attribute obfuscation

Detects an obfuscation technique found being used by a TrustWallet phishing kit where it appends several repeating groups of characters to the class attribute of all HTML elements in the page.

References

https://urlscan.io/result/8e3bb6f7-9c4e-4157-8c99-5b0b98058425
https://urlscan.io/result/a0b2f6a8-1cd1-4c44-bc0c-659446e891bf

IOK Rule (edit)

title: Class attribute obfuscation

description: |
  Detects an obfuscation technique found being used
  by a TrustWallet phishing kit where it appends several
  repeating groups of characters to the class attribute
  of all HTML elements in the page.
  
references:
  - https://urlscan.io/result/8e3bb6f7-9c4e-4157-8c99-5b0b98058425
  - https://urlscan.io/result/a0b2f6a8-1cd1-4c44-bc0c-659446e891bf
  
detection:

    obfuscatedClassAttribute:
      html|re: 'class="(?:(?: |  )?(?:[A-Za-z0-9]{20})(?: |  )?){8}'

    condition: obfuscatedClassAttribute

tags:
  - anti-analysis