From 052afce5fec3b0c0b71cbc292bdfa63786323403 Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Mon, 20 May 2024 05:27:32 -0400
Subject: [PATCH] Create: 3 IOKs for common Steam phishing kits (#212)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Create csgo2beta-videos.yml

* Create steam-auronplay.yml

* Create steam-getsiteconfig.yml

* Create steam-metrica.yml

* Update steam-metrica.yml

Fixed detection field name

* Update steam-getsiteconfig.yml

Remove overlapping reference

* Update csgo2beta-videos.yml

Remove invalid reference

* Update steam-auronplay.yml

Remove invalid reference

* Update steam-metrica.yml

Remove invalid reference

* Update csgo2beta-videos.yml

Fix failed to match (added case insensitive title check) https://urlscan.io/result/5c36ed3f-3efe-43a9-a669-f13f4ff0cdcb

* Update steam-metrica.yml

Fix metrica.php request

* Update csgo2beta-videos.yml

Use (?i) instead of /i

* Update steam-auronplay.yml

Updated 'giftFromAuronplay' to regex ignoring "<span></span>"s between string.

* Update steam-getsiteconfig.yml

Added new example

* ✨Update and rename steam-auronplay.yml to steam-ee34fa99.yml

Update rule detection logic & name

* ✨Update steam-ee34fa99

Remove dynamic filename from sale banner GIF detection string

* Update and rename csgo2beta-videos.yml to steam-de077e20.yml

Simplify rule logic, fix rule and file name

* Update and rename steam-getsiteconfig.yml to steam-732d40f3.yml

Modify detection logic to use more robust flags

* Delete indicators/steam-metrica.yml

Remove redundant rule

* Update steam-732d40f3.yml

* Update steam-732d40f3.yml

* Update steam-732d40f3.yml

* Update steam-de077e20.yml

* Update steam-ee34fa99.yml

* Update steam-de077e20.yml

* Update steam-ee34fa99.yml

* Update steam-de077e20.yml

* Update steam-ee34fa99.yml

* Update steam-de077e20.yml

* Update steam-de077e20.yml

---------

Co-authored-by: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Co-authored-by: Bradley Kemp <bradleyjkemp@users.noreply.github.com>
---
 indicators/steam-732d40f3.yml | 29 +++++++++++++++++++++++++++++
 indicators/steam-de077e20.yml | 24 ++++++++++++++++++++++++
 indicators/steam-ee34fa99.yml | 26 ++++++++++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 indicators/steam-732d40f3.yml
 create mode 100644 indicators/steam-de077e20.yml
 create mode 100644 indicators/steam-ee34fa99.yml

diff --git a/indicators/steam-732d40f3.yml b/indicators/steam-732d40f3.yml
new file mode 100644
index 00000000..eca94f12
--- /dev/null
+++ b/indicators/steam-732d40f3.yml
@@ -0,0 +1,29 @@
+title: Steam Phishing Kit 732d40f3
+description: |
+    Detects Steam phishing pages that obtain their template
+    configuration from `/api/getsiteconfig` 
+references:
+  - https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
+  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
+  - https://urlscan.io/result/01e4685b-9001-4843-a50f-a41ad126fc8c
+  - https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
+  - https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
+  - https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
+  - https://urlscan.io/result/2acf7249-7864-4148-aa3a-161286fce118
+
+detection:
+
+    siteConfiguration:
+        requests|contains: "/api/getsiteconfig/"
+        
+    loadedIFrame:
+        dom|contains: '<iframe id="iframe" title="main" name="site" style="height: 0px; width: 0px; border: 0px; outline: none; z-index: 1000;"></iframe>'
+        
+    footerMessage:
+        dom|contains: '<div style="font-size: 1px; font-family: &quot;Support Assets&quot;; color: rgba(0, 0, 0, 0.01);">Hello</div>'
+
+    condition: siteConfiguration and loadedIFrame and footerMessage
+
+tags:
+  - target.steam
+  - threat_actor_country.russia
diff --git a/indicators/steam-de077e20.yml b/indicators/steam-de077e20.yml
new file mode 100644
index 00000000..cbf57a3f
--- /dev/null
+++ b/indicators/steam-de077e20.yml
@@ -0,0 +1,24 @@
+title: Steam Phishing Kit de077e20
+description: |
+  Detects a Steam phishing kit that uses a fake Steam login window 
+  to steal user credentials and Counter Strike 2 Beta Access as bait.
+references:
+  - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
+  - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
+  - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4
+
+detection:
+
+  title:
+    title: "Counter-Strike 2 | Limited Test"
+
+  assets:
+    requests|endswith|all:
+      - '9d7ecea.js'
+      - 'c9d2021.js'
+
+  condition: title and assets
+
+tags:
+  - target.steam
+  - threat_actor_country.russia
diff --git a/indicators/steam-ee34fa99.yml b/indicators/steam-ee34fa99.yml
new file mode 100644
index 00000000..9234e156
--- /dev/null
+++ b/indicators/steam-ee34fa99.yml
@@ -0,0 +1,26 @@
+title: Steam Phishing Kit ee34fa99
+description: |
+  A Steam phishing kit that uses a fake Steam login 
+  window to steal user credentials and 50/100$ gift 
+  cards as bait.
+
+references:
+  - https://urlscan.io/result/ee34fa99-6cf8-4b16-8cf5-e617e238dea0
+  - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
+
+detection:
+
+  saleBannerGif:
+    requests|contains: 'https://s12.gifyu.com/images/'
+
+  siteMetrics:
+    requests|contains: 'metrica.php'
+
+  giftFrom:
+    html|contains: 'auronplay'
+ 
+  condition: siteMetrics and saleBannerGif and giftFrom
+
+tags:
+  - target.steam
+  - threat_actor_country.russia