Emerging Threats

SIG: ET HUNTING Possible JSFireTruck JavaScript Obfuscation

Rule Signatures

kevross33 June 12, 2025, 3:22pm 1

The rendered squares here are actually [ and ]

alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET HUNTING Possible JSFireTruck JavaScript Obfuscation”; flow:established,to_client; file_data; content:“+”; content:“]+”; pcre:“/[+$!(){}0-9]{70,}/m”; classtype:bad-unknown; reference:url,JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique; reference:url,GitHub - aemkei/jsfuck: Write any JavaScript with 6 Characters: []()!+; sid:156701; rev:1;)

Kind Regards,
Kevin Ross

bingohotdog June 18, 2025, 10:58pm 2

Thanks, Kevin. I’ll look into this suggestion!

Cheers,

bingohotdog July 14, 2025, 9:12pm 3

Late update – this was a great share and two rules were created in June to alert on this activity.

2063161 - ET INFO Observed Usage of Non-Alphanumeric Javascript Obfuscation M2
2063156 - ET HUNTING Observed Usage of Non-Alphanumeric Javascript Obfuscation M1

Looking forward to the future shares, Kevin. Thanks again!

1 Like

Topic		Replies	Views	Activity
SIGS: ET HUNTING Possible Obfuscated PowerShell Script Download Rule Signatures	2	90	May 19, 2025
SIG: ET MALWARE Possible Gremlin InfoStealer Data Upload Rule Signatures	2	86	April 29, 2025
ET MALWARE JavaScript Loader Associated With Interlock Ransomware Rule Signatures	1	93	May 12, 2025
Ruleset Update Summary - 2024/11/29 - v10762 Ruleset Updates	0	34	November 29, 2024
Possible FP - JA3 Hash - [Abuse.ch] Possible Adware Rule Signatures etopen	1	362	August 1, 2023