Banco Galicia Phishing Kit bd53a32

Detects a Banco Galicia phishing kit deployed quite oftenly on replit.com.

References

Recent Detections

  • hxxp://cs14504[.]tw1[.]ru/
  • hxxp://elaborateagitatedcondition--allsummerring[.]repl[.]co/
  • hxxps://elaborateagitatedcondition--allsummerring[.]repl[.]co/
  • hxxps://5bb4ca6f-23c0-4dca-a287-fa52d02588d8[.]id[.]repl[.]co/
  • hxxp://elaborateagitatedcondition[.]allsummerring[.]repl[.]co/
  • hxxps://elaborateagitatedcondition[.]allsummerring[.]repl[.]co/
  • hxxps://7389[.]7392[.]repl[.]co/
  • hxxps://3219[.]63279[.]repl[.]co/
  • hxxps://juvenilerichbrackets[.]resgugalaia[.]repl[.]co/
  • hxxps://groundedformalprocessors[.]atlantidarest[.]repl[.]co/

IOK Rule (edit)

title: Banco Galicia Phishing Kit bd53a32
description: |
    Detects a Banco Galicia phishing kit deployed quite oftenly on `replit.com`.
    
references:
    - https://urlscan.io/result/bd53a324-fc80-4bd5-801e-e9b3f10f3564
    - https://urlscan.io/result/c88ca20b-ab76-415e-90b5-08f36fcacedd

detection:

    formDefinition:
      html|contains: '<form action="secure.php" method="post" id="form1">'

    credentialFieldNames:
      html|contains|all:
        - 'name="sol"'
        - 'name="nahual"'
        - 'name="chaneque"'
   
    condition: formDefinition and credentialFieldNames

tags:
  - target.bancogalicia
  - target_country.argentina