Create: 3 IOKs for common Steam phishing kits (#212)

* Create csgo2beta-videos.yml * Create steam-auronplay.yml * Create steam-getsiteconfig.yml * Create steam-metrica.yml * Update steam-metrica.yml Fixed detection field name * Update steam-getsiteconfig.yml Remove overlapping reference * Update csgo2beta-videos.yml Remove invalid reference * Update steam-auronplay.yml Remove invalid reference * Update steam-metrica.yml Remove invalid reference * Update csgo2beta-videos.yml Fix failed to match (added case insensitive title check) https://urlscan.io/result/5c36ed3f-3efe-43a9-a669-f13f4ff0cdcb * Update steam-metrica.yml Fix metrica.php request * Update csgo2beta-videos.yml Use (?i) instead of /i * Update steam-auronplay.yml Updated 'giftFromAuronplay' to regex ignoring "<span></span>"s between string. * Update steam-getsiteconfig.yml Added new example * ✨Update and rename steam-auronplay.yml to steam-ee34fa99.yml Update rule detection logic & name * ✨Update steam-ee34fa99 Remove dynamic filename from sale banner GIF detection string * Update and rename csgo2beta-videos.yml to steam-de077e20.yml Simplify rule logic, fix rule and file name * Update and rename steam-getsiteconfig.yml to steam-732d40f3.yml Modify detection logic to use more robust flags * Delete indicators/steam-metrica.yml Remove redundant rule * Update steam-732d40f3.yml * Update steam-732d40f3.yml * Update steam-732d40f3.yml * Update steam-de077e20.yml * Update steam-ee34fa99.yml * Update steam-de077e20.yml * Update steam-ee34fa99.yml * Update steam-de077e20.yml * Update steam-ee34fa99.yml * Update steam-de077e20.yml * Update steam-de077e20.yml --------- Co-authored-by: IlluminatiFish <[email protected]> Co-authored-by: Bradley Kemp <[email protected]>
phish-report · May 20, 2024 · 052afce · 052afce
1 parent e0754a5
commit 052afce
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 0 deletions.
diff --git a/indicators/steam-732d40f3.yml b/indicators/steam-732d40f3.yml
@@ -0,0 +1,29 @@
+title: Steam Phishing Kit 732d40f3
+description: |
+    Detects Steam phishing pages that obtain their template
+    configuration from `/api/getsiteconfig` 
+references:
+  - https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
+  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
+  - https://urlscan.io/result/01e4685b-9001-4843-a50f-a41ad126fc8c
+  - https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
+  - https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
+  - https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
+  - https://urlscan.io/result/2acf7249-7864-4148-aa3a-161286fce118
+
+detection:
+
+    siteConfiguration:
+        requests|contains: "/api/getsiteconfig/"
+
+    loadedIFrame:
+        dom|contains: '<iframe id="iframe" title="main" name="site" style="height: 0px; width: 0px; border: 0px; outline: none; z-index: 1000;"></iframe>'
+
+    footerMessage:
+        dom|contains: '<div style="font-size: 1px; font-family: &quot;Support Assets&quot;; color: rgba(0, 0, 0, 0.01);">Hello</div>'
+
+    condition: siteConfiguration and loadedIFrame and footerMessage
+
+tags:
+  - target.steam
+  - threat_actor_country.russia
diff --git a/indicators/steam-de077e20.yml b/indicators/steam-de077e20.yml
@@ -0,0 +1,24 @@
+title: Steam Phishing Kit de077e20
+description: |
+  Detects a Steam phishing kit that uses a fake Steam login window 
+  to steal user credentials and Counter Strike 2 Beta Access as bait.
+references:
+  - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
+  - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
+  - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4
+
+detection:
+
+  title:
+    title: "Counter-Strike 2 | Limited Test"
+
+  assets:
+    requests|endswith|all:
+      - '9d7ecea.js'
+      - 'c9d2021.js'
+
+  condition: title and assets
+
+tags:
+  - target.steam
+  - threat_actor_country.russia
diff --git a/indicators/steam-ee34fa99.yml b/indicators/steam-ee34fa99.yml
@@ -0,0 +1,26 @@
+title: Steam Phishing Kit ee34fa99
+description: |
+  A Steam phishing kit that uses a fake Steam login 
+  window to steal user credentials and 50/100$ gift 
+  cards as bait.
+
+references:
+  - https://urlscan.io/result/ee34fa99-6cf8-4b16-8cf5-e617e238dea0
+  - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
+
+detection:
+
+  saleBannerGif:
+    requests|contains: 'https://s12.gifyu.com/images/'
+
+  siteMetrics:
+    requests|contains: 'metrica.php'
+
+  giftFrom:
+    html|contains: 'auronplay'
+
+  condition: siteMetrics and saleBannerGif and giftFrom
+
+tags:
+  - target.steam
+  - threat_actor_country.russia