From 691aa905f1a049b0b0d0dfc7d0874a0a125574d1 Mon Sep 17 00:00:00 2001 From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com> Date: Wed, 10 Aug 2022 08:25:51 +0100 Subject: [PATCH] Adds 2 new IOK rules for Santander kits (#55) * Create santander-85b6cae.yml * Create santander-951d27d.yml --- indicators/santander-85b6cae.yml | 24 ++++++++++++++++++++++++ indicators/santander-951d27d.yml | 27 +++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 indicators/santander-85b6cae.yml create mode 100644 indicators/santander-951d27d.yml diff --git a/indicators/santander-85b6cae.yml b/indicators/santander-85b6cae.yml new file mode 100644 index 00000000..aba99ff5 --- /dev/null +++ b/indicators/santander-85b6cae.yml @@ -0,0 +1,24 @@ +title: Santander Phishing Kit 85b6cae +description: | + Detects a Santander phishing kit targeting Spanish speaking users. + +references: + - https://urlscan.io/result/56fb9b2c-e078-4d1d-b8a6-e6e5147e90d3 + - https://urlscan.io/result/5ccf3cfc-cc1a-432d-a6e2-575f80742672 + +detection: + + usernameLabelID: + html|contains: 'EB8236264AE3C04429B8F46076848E7B' + + passwordLabelID: + html|contains: '85B6CAE065D33FEEEB4297826ECB9B2D' + + exfilDestination: + html|contains: 'database_setup/routes/process_login.php' + + + condition: usernameLabelID and passwordLabelID and exfilDestination + +tags: + - target.santander diff --git a/indicators/santander-951d27d.yml b/indicators/santander-951d27d.yml new file mode 100644 index 00000000..80c789d2 --- /dev/null +++ b/indicators/santander-951d27d.yml @@ -0,0 +1,27 @@ +title: Santander Phishing Kit 951d27d +description: | + Detects a Santander phishing kit targeting Spanish speaking users. + +references: + - https://urlscan.io/result/d7f3f389-d10b-4b83-a45c-ba7f8ec54035 + - https://urlscan.io/result/1c849740-38f2-4442-94f8-bf2147cc587e + +detection: + + cloneTimestamp: + requests|contains: '?v=1655293257536' + + usernameLabelID: + html|contains: '47563B2825160654ADB2CC97CE152AF3' + + passwordLabelID: + html|contains: '951D27D1CD8413E25C1D61149F928D85' + + exfilDestination: + html|contains: '/atualiza' + + + condition: cloneTimestamp and usernameLabelID and passwordLabelID and exfilDestination + +tags: + - target.santander