Cazanova phishing kit

Cazanova is the alias of a prolific phishing kit creator. Lucky for us, they like to sign their work by using cazanova for their cookie name rather than the default PHPSESSID, which makes it simple to identify their work.

References

Recent Detections

  • hxxps://customersactionrequired17-tk[.]preview-domain[.]com/NuCI...
  • hxxps://customersactionrequired17-tk[.]preview-domain[.]com/NuCI...
  • hxxps://customersactionrequired17-tk[.]preview-domain[.]com/NuCI...
  • hxxp://bahamamouz[.]ir/newmetamask/authen
  • hxxps://bank0famericasec01[.]ddns[.]net
  • hxxp://rosevillegaragedoorservicescom[.]bigscoots-staging[.]com/...
  • hxxps://rosevillegaragedoorservicescom[.]bigscoots-staging[.]com...
  • hxxps://wllz-online-sysstem-com[.]preview-domain[.]com/wells/
  • hxxps://wllz-online-sysstem-com[.]preview-domain[.]com/wells/aut...
  • hxxp://veryshort[.]ir/ff049/

IOK Rule (edit)

title: Cazanova phishing kit
description: |
  Cazanova is the alias of a prolific phishing kit creator.
  Lucky for us, they like to sign their work by using `cazanova` for their cookie name rather than the default `PHPSESSID`, which makes it simple to identify their work.
references:
  - https://www.wmcglobal.com/blog/cazanova-morphine-kit-deep-dive

detection:
  cazanovaCookie:
    cookies|startswith: "cazanova="

  condition: cazanovaCookie

tags:
  - threat_actors.cazanova