Banco de la República (eBROU) Phishing Kit g5d6u78z

Detects a Banco de la República phishing kit using a form action URL and CSS files that only appear in this kit. Deployed often on replit.com.

References

Recent Detections

  • hxxp://home-en-linea[.]ebrouen[.]repl[.]co/
  • hxxps://home-en-linea[.]ebrouen[.]repl[.]co/
  • hxxps://home-en-linea[.]ebrouen[.]repl[.]co/index1.html
  • hxxp://phonyburlytests[.]virtualhn[.]repl[.]co/
  • hxxps://phonyburlytests[.]virtualhn[.]repl[.]co/index1.html
  • hxxps://phonyburlytests[.]virtualhn[.]repl[.]co/
  • hxxp://www[.]e[.]brou-bank[.]com/
  • hxxps://dev-direccionbrou033[.]pantheonsite[.]io/BRO1/index1.htm...
  • hxxps://jhjvghvgvh[.]seguridadddnf[.]repl[.]co/index1.html
  • hxxps://dev-segurittcajasocia[.]pantheonsite[.]io/caja/

IOK Rule (edit)

title: Banco de la República (eBROU) Phishing Kit g5d6u78z
description: |
    Detects a Banco de la República phishing kit using a form action URL and CSS files that only appear in this kit.
    Deployed often on `replit.com`.
references:
  - https://urlscan.io/result/cc2a1241-1e5f-4062-acb8-1f03f0f381ae/
  - https://ebanking.brou.com.uy/frontend/loginStep1

detection:

  form:
    html|contains:
      - action="index2.php"
      
  image:
    requests|contains: 'selectArrowDown.b3a49a7d.svg'

  css:
    html|contains|all:
      - 2.d18bb301.chunk.css
      - main.8d29879f.chunk.css

  condition: (form and css and image) or (form and css)

tags:
  - kit
  - target.bancodelarepublica
  - target_country.uruguay