Unibank Phishing Kit NJdEmH

Detects a phishing kit targeting Unibank. Unibank is one of the largest private banks established in Azerbaijan. Threat actors working with this phishing kit appear to be coming from Ukraine (EVEREST AS49223).

References

IOK Rule (edit)

title: Unibank Phishing Kit NJdEmH
description: |
    Detects a phishing kit targeting Unibank. Unibank is one of the largest private banks established in Azerbaijan.
    Threat actors working with this phishing kit appear to be coming from Ukraine (EVEREST AS49223).


references:
    - https://unibank.az/
    - https://urlscan.io/result/449e4d19-254f-487b-a911-65986cf99384/
    - https://urlscan.io/result/ae412a17-f89b-4f4b-99df-de652b4ddcb9/
    - https://urlscan.io/result/6dab8fb5-4667-4ddd-8a28-c4bfc1ff86ec/

detection:

    title:
      html|contains:
        - <title>UNÄ°BANK</title>

    form:
      html|contains:
        - form name="form" id="form" method="post" action="indexSend.php" autocomplete="off" onsubmit="return validation()"

    facebookDomainVerification:
      html|contains:
        - meta name="facebook-domain-verification" content="atzt8tk6o7zuo0wjw3fgp66oqag9uq"


    condition: title and form and facebookDomainVerification

tags:
  - kit
  - target.unibank
  - target_country.azerbaijan