Bookmark Grabber f6a19cec

Detects a phishing page that uses the disguise of a Wick Bot verification in order to install a malicious bookmark that steals the victim's discord token.

References

https://urlscan.io/result/f6a19cec-fcab-4331-8a96-42d9654c0768
https://urlscan.io/result/75519f83-1671-4065-9bf7-5de0c8ddd25b

IOK Rule (edit)

title: Bookmark Grabber f6a19cec
description: |
    Detects a phishing page that uses the disguise of a Wick Bot
    verification in order to install a malicious bookmark that steals
    the victim's discord token.
    
references:
  - https://urlscan.io/result/f6a19cec-fcab-4331-8a96-42d9654c0768
  - https://urlscan.io/result/75519f83-1671-4065-9bf7-5de0c8ddd25b

detection:

  randomString:
    dom|contains: '321AAAQAA123'

  exfilPage:
    dom|contains: 'x.html'

  condition: randomString and exfilPage

tags:
  - target.wick_bot