From 70be203b4a7d5ed6989ac22cb6445d80bfb9678d Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Tue, 7 Nov 2023 09:24:07 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80Create=20IOK:=20fauxmoralis-6a3cac2?=
 =?UTF-8?q?1=20&=20facebook-d47226ee=20(#223)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* 🚀Create IOK: fauxmoralis-6a3cac21

Create fauxmoralis-6a3cac21.yml

* 🚀Create IOK: facebook-d47226ee

Create facebook-d47226ee.yml

* ✨Update facebook-d47226ee

Use end of filename as it has a higher chance of being unique
---
 indicators/facebook-d47226ee.yml    | 27 +++++++++++++++++++++++++++
 indicators/fauxmoralis-6a3cac21.yml | 23 +++++++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 indicators/facebook-d47226ee.yml
 create mode 100644 indicators/fauxmoralis-6a3cac21.yml

diff --git a/indicators/facebook-d47226ee.yml b/indicators/facebook-d47226ee.yml
new file mode 100644
index 00000000..0c0fd153
--- /dev/null
+++ b/indicators/facebook-d47226ee.yml
@@ -0,0 +1,27 @@
+title: Facebook Phishing Kit d47226ee
+description: |
+    Facebook (Meta for Business) phishing kit 
+    that communicates with a master server/API
+    in order to exfiltrate credentials entered.
+
+    This kit has several anti analysis capabilities, 
+    such as being able to redirect to a non-existent 
+    domain if the organization owning the IP address 
+    of the viewer is part of a pre-defined list, which
+    is defined in the javascript code.
+    
+references:
+  - https://urlscan.io/result/d47226ee-0e03-4978-a9b8-1719ed43cfa4
+  - https://urlscan.io/result/3291f27f-c62d-4713-877c-91e7085af833
+  
+detection:
+    
+    kitAssets:
+      requests|contains|all:
+        - '62b0718b3254f2a8ab0f.png'
+        - 'montserrat-latin-400-normal.acb6629fe45c43ad5d8b.woff2'
+        
+    kitAPI:
+      requests|contains: 'flexflex.online'
+
+    condition: kitAssets and kitAPI
diff --git a/indicators/fauxmoralis-6a3cac21.yml b/indicators/fauxmoralis-6a3cac21.yml
new file mode 100644
index 00000000..94d6be77
--- /dev/null
+++ b/indicators/fauxmoralis-6a3cac21.yml
@@ -0,0 +1,23 @@
+title: FauxMoralis Crypto Drainer 6a3cac21
+description: |
+    Sites that contact this domain are websites that will
+    drain a user's crypto wallet using a piece of javascript
+    code known as a 'crypto drainer'.
+
+    Due to this domain imitating the real Moralis API it 
+    has been named FauxMoralis to reflect this.
+    
+references:
+  - https://urlscan.io/result/6a3cac21-e6e5-40a7-984f-c9bcf023b2ed
+  - https://urlscan.io/search/#domain:"moralis-api.zip"
+  
+detection:
+
+    drainerConfigurationDomain:
+      requests|contains: 'moralis-api.zip'
+
+    condition: drainerConfigurationDomain
+
+tags:
+  - kit
+  - cryptocurrency