Detects the ImBetter stealer C2 panel page.
Using the SVG data we can confidentially detect the SVG element that is used for the login page logo.
title: ImBetter C2 Panel 1f52021a
description: |
Detects the `ImBetter` stealer C2 panel page.
Using the SVG data we can confidentially detect
the SVG element that is used for the login page
logo.
references:
- https://www.bridewell.com/insights/blogs/detail/threat-advisory-bridewell-malware-impersonating-online-tools-and-video-games
- https://twitter.com/bridewellsec/status/1631349963840970757
detection:
svgData:
html|contains|all:
- 'M6 19C6 16.7909 8.68629 15 12 15C15.3137 15 18 16.7909 18 19'
- 'M12 12C14.2091 12 16 10.2091 16 8C16 5.79086 14.2091 4 12 4C9.79086 4 8 5.79086 8 8C8 10.2091 9.79086 12 12 12Z'
authScript:
requests|contains: 'auf.js'
imageFile:
requests|contains: '114cd0fcfa927565b082.png'
condition: svgData and (authScript or imageFile)
tags:
- threat_actor.arv6
- malware.imbetter
- malware