Banco de Galicia Phishing Kit vyk7k7oo

Detects a different Banco de Galicia phishing kit deployed often on replit.com. This kit uses JavaScript to dynamically load the login form HTML after you click on a SVG.

References

Recent Detections

  • hxxps://seguridadbanco--galiciaalert[.]repl[.]co/
  • hxxps://galiciaonline[.]galiciaalert[.]repl[.]co/
  • hxxps://5244d902-2ffa-4700-bafe-1673e2ce0f1d[.]id[.]repl[.]co/
  • hxxp://mistylumberingmacro[.]gali0987728[.]repl[.]co
  • hxxps://mistylumberingmacro[.]gali0987728[.]repl[.]co/
  • hxxp://SecretPeskyPackage[.]gali987836[.]repl[.]co
  • hxxp://MistyLumberingMacro[.]gali0987728[.]repl[.]co
  • hxxp://InsecureHurtfulProducts[.]argali298[.]repl[.]co
  • hxxp://privatetiredconnection[.]gali898978[.]repl[.]co/
  • hxxps://privatetiredconnection[.]gali898978[.]repl[.]co/

IOK Rule (edit)

title: Banco de Galicia Phishing Kit vyk7k7oo
description: |
    Detects a different Banco de Galicia phishing kit deployed often on `replit.com`.
    This kit uses JavaScript to dynamically load the login form HTML after you click on a SVG.
    
references:
    - https://urlscan.io/result/8167a56a-1843-4704-bc2d-3b52b3e34192
    - https://urlscan.io/result/55813f6a-a910-461a-a0d2-0bae4574ae92/
    - https://urlscan.io/result/8167a56a-1843-4704-bc2d-3b52b3e34192/

detection:

    script:
      html|contains:
        - src="js/scrp.js"

    img:
      html|contains|all:
        - src="im/lg-gal.svg"
        - src="im/on-bn.svg"
        - class="lg-gal

    condition: script and img

tags:
  - target.bancogalicia
  - target_country.argentina