Nuevo Banco del Chaco Phishing Kit ri0z68ca

Detects a Nuevo Banco del Chaco phishing kit using a form action URL and a CSRF token that only appears in this kit. Deployed often on replit.com.

References

https://urlscan.io/result/060511f7-f141-44ec-b2f6-d3801c6c76a3/
https://hb.redlink.com.ar/nbch/login.htm

IOK Rule (edit)

title: Nuevo Banco del Chaco Phishing Kit ri0z68ca
description: |
    Detects a Nuevo Banco del Chaco phishing kit using a form action URL and a CSRF token that only appears in this kit.
    Deployed often on replit.com.
references:
  - https://urlscan.io/result/060511f7-f141-44ec-b2f6-d3801c6c76a3/
  - https://hb.redlink.com.ar/nbch/login.htm

detection:

  form:
    html|contains:
      - action="now.php"

  csrf:
    html|contains|all:
      - 12-4-90A98F803C403A735F6BC70078D90D82
      - 12-6-90A98F803C403A735F6BC70078D90D82

  condition: form and csrf

tags:
  - kit
  - target.nuevobancodelchaco
  - target_country.argentina