Detects a BbyStealer dropper website.
BbyStealer is a JavaScript-based information stealer created by a threat actor called 'brunxkd'.
It usually comes packed as an executable (standalone or in an archive) on fake video game websites (which this rule should detect), these URLs are spread by users of this stealer (or compromised accounts) via Discord messages asking victims to 'test' their game for them, as they masquerade as a 'game developer'.
title: BbyStealer Dropper Website aeed70a
description: |
Detects a BbyStealer dropper website.
BbyStealer is a JavaScript-based information
stealer created by a threat actor called 'brunxkd'.
It usually comes packed as an executable (standalone or in an archive)
on fake video game websites (which this rule should detect),
these URLs are spread by users of this stealer (or compromised accounts)
via Discord messages asking victims to 'test' their game for them,
as they masquerade as a 'game developer'.
references:
- https://urlscan.io/result/aeed70a9-ed4e-4577-8a88-e0d679411c6f
- https://urlscan.io/result/68b1dc31-d579-4b96-b344-24b6f9562479
detection:
tileColor:
html|contains: '<meta name="msapplication-TileColor" content="#da532c">'
announcementText:
html|contains: 'The game is almost finished, so we are testing our game as beta right now, we are having it done, but we believe that we will get out of the beta version very soon..'
announcementTitle:
html|contains: '<h3 style="margin-left: 0;"> [📢] ANNOUNCE [📢]'
elementClasses:
html|contains|all:
- 'home-img'
- 'bot-description'
- 'botname'
customJSFiles:
html|contains|all:
- 'main.js'
- 'commands.js'
condition: tileColor and announcementText and announcementTitle and elementClasses and customJSFiles
tags:
- malware
- malware.bbystealer