BbyStealer Dropper Website aeed70a

Detects a BbyStealer dropper website.

BbyStealer is a JavaScript-based information stealer created by a threat actor called 'brunxkd'.

It usually comes packed as an executable (standalone or in an archive) on fake video game websites (which this rule should detect), these URLs are spread by users of this stealer (or compromised accounts) via Discord messages asking victims to 'test' their game for them, as they masquerade as a 'game developer'.

References

IOK Rule (edit)

title: BbyStealer Dropper Website aeed70a
description: |
    Detects a BbyStealer dropper website.
    
    BbyStealer is a JavaScript-based information 
    stealer created by a threat actor called 'brunxkd'.
    
    It usually comes packed as an executable (standalone or in an archive)
    on fake video game websites (which this rule should detect), 
    these URLs are spread by users of this stealer (or compromised accounts) 
    via Discord messages asking victims to 'test' their game for them, 
    as they masquerade as a 'game developer'.

references:
    - https://urlscan.io/result/aeed70a9-ed4e-4577-8a88-e0d679411c6f
    - https://urlscan.io/result/68b1dc31-d579-4b96-b344-24b6f9562479

detection:

    tileColor:
      html|contains: '<meta name="msapplication-TileColor" content="#da532c">'

    announcementText: 
      html|contains: 'The game is almost finished, so we are testing our game as beta right now, we are having it done, but we believe that we will get out of the beta version very soon..'

    announcementTitle:
      html|contains: '<h3 style="margin-left: 0;"> [📢] ANNOUNCE [📢]'

    elementClasses:
      html|contains|all:
        - 'home-img'
        - 'bot-description'
        - 'botname'

    customJSFiles:
      html|contains|all:
        - 'main.js'
        - 'commands.js'

    condition: tileColor and announcementText and announcementTitle and elementClasses and customJSFiles

tags:
  - malware
  - malware.bbystealer