Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create: 3 IOKs for common Steam phishing kits #212

Merged
merged 31 commits into from
May 20, 2024
Merged

Create: 3 IOKs for common Steam phishing kits #212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
5455ecc
Create csgo2beta-videos.yml
PCPisChill Jul 29, 2023
0a6649f
Create steam-auronplay.yml
PCPisChill Jul 29, 2023
36a05c0
Create steam-getsiteconfig.yml
PCPisChill Jul 29, 2023
bd9c269
Create steam-metrica.yml
PCPisChill Jul 29, 2023
0a28cca
Update steam-metrica.yml
PCPisChill Aug 16, 2023
70e1971
Update steam-getsiteconfig.yml
IlluminatiFish Sep 14, 2023
43060fb
Update csgo2beta-videos.yml
IlluminatiFish Sep 18, 2023
3a6fa0d
Update steam-auronplay.yml
IlluminatiFish Sep 18, 2023
d1dd5a2
Update steam-metrica.yml
IlluminatiFish Sep 18, 2023
f26adbb
Merge branch 'main' into steam-phish
bradleyjkemp Oct 27, 2023
903ac2d
Update csgo2beta-videos.yml
PCPisChill Nov 25, 2023
4755cc7
Update steam-metrica.yml
PCPisChill Nov 25, 2023
229a9b3
Update csgo2beta-videos.yml
PCPisChill Nov 25, 2023
9f48b7f
Update steam-auronplay.yml
PCPisChill Nov 26, 2023
4f82b3e
Update steam-getsiteconfig.yml
PCPisChill Nov 26, 2023
8273e1c
✨Update and rename steam-auronplay.yml to steam-ee34fa99.yml
IlluminatiFish Nov 26, 2023
8e2d0ea
✨Update steam-ee34fa99
IlluminatiFish Nov 26, 2023
0d992df
Update and rename csgo2beta-videos.yml to steam-de077e20.yml
IlluminatiFish May 20, 2024
cb18c20
Update and rename steam-getsiteconfig.yml to steam-732d40f3.yml
IlluminatiFish May 20, 2024
29dc4ee
Delete indicators/steam-metrica.yml
IlluminatiFish May 20, 2024
77cb5e0
Update steam-732d40f3.yml
IlluminatiFish May 20, 2024
9899e66
Update steam-732d40f3.yml
IlluminatiFish May 20, 2024
a7dce31
Update steam-732d40f3.yml
IlluminatiFish May 20, 2024
cdfacb5
Update steam-de077e20.yml
IlluminatiFish May 20, 2024
2afe5f5
Update steam-ee34fa99.yml
IlluminatiFish May 20, 2024
bacd1e3
Update steam-de077e20.yml
IlluminatiFish May 20, 2024
440d5b4
Update steam-ee34fa99.yml
IlluminatiFish May 20, 2024
998ce85
Update steam-de077e20.yml
IlluminatiFish May 20, 2024
c8bc8e6
Update steam-ee34fa99.yml
IlluminatiFish May 20, 2024
c5807f4
Update steam-de077e20.yml
IlluminatiFish May 20, 2024
8369d6e
Update steam-de077e20.yml
IlluminatiFish May 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions indicators/steam-732d40f3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
title: Steam Phishing Kit 732d40f3
description: |
Detects Steam phishing pages that obtain their template
configuration from `/api/getsiteconfig`
references:
- https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
- https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
- https://urlscan.io/result/01e4685b-9001-4843-a50f-a41ad126fc8c
- https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
- https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
- https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
- https://urlscan.io/result/2acf7249-7864-4148-aa3a-161286fce118

detection:

siteConfiguration:
requests|contains: "/api/getsiteconfig/"

loadedIFrame:
dom|contains: '<iframe id="iframe" title="main" name="site" style="height: 0px; width: 0px; border: 0px; outline: none; z-index: 1000;"></iframe>'

footerMessage:
dom|contains: '<div style="font-size: 1px; font-family: &quot;Support Assets&quot;; color: rgba(0, 0, 0, 0.01);">Hello</div>'

condition: siteConfiguration and loadedIFrame and footerMessage

tags:
- target.steam
- threat_actor_country.russia
24 changes: 24 additions & 0 deletions indicators/steam-de077e20.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
title: Steam Phishing Kit de077e20
description: |
Detects a Steam phishing kit that uses a fake Steam login window
to steal user credentials and Counter Strike 2 Beta Access as bait.
references:
- https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
- https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
- https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4

detection:

title:
title: "Counter-Strike 2 | Limited Test"

assets:
requests|endswith|all:
- '9d7ecea.js'
- 'c9d2021.js'

condition: title and assets

tags:
- target.steam
- threat_actor_country.russia
26 changes: 26 additions & 0 deletions indicators/steam-ee34fa99.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
title: Steam Phishing Kit ee34fa99
description: |
A Steam phishing kit that uses a fake Steam login
window to steal user credentials and 50/100$ gift
cards as bait.

references:
- https://urlscan.io/result/ee34fa99-6cf8-4b16-8cf5-e617e238dea0
- https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f

detection:

saleBannerGif:
requests|contains: 'https://s12.gifyu.com/images/'

siteMetrics:
requests|contains: 'metrica.php'

giftFrom:
html|contains: 'auronplay'

condition: siteMetrics and saleBannerGif and giftFrom

tags:
- target.steam
- threat_actor_country.russia
Loading