🚀 Create IOK: icloud-467ab986 (#238)

* 🚀 Create IOK: icloud-467ab986 * Update and rename icloud-467ab986.yml to apple-icloud-467ab986.yml --------- Co-authored-by: IlluminatiFish <[email protected]>
phish-report · Feb 4, 2024 · 3539e89 · 3539e89
1 parent d51b8fd
commit 3539e89
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/indicators/apple-icloud-467ab986.yml b/indicators/apple-icloud-467ab986.yml
@@ -0,0 +1,29 @@
+title: Apple iCloud Phishing Kit 467ab986
+description: |
+    An Apple iCloud Phishing Kit appearing in English and Spanish.
+    This looks for file name references of a stylesheet, title styling and a loader image.
+
+references:
+  - https://urlscan.io/result/467ab986-22c1-466a-a9b4-173f6bd75205/
+  - https://urlscan.io/result/ec2b7fc2-7906-4f72-9f00-c8b35e6d6328/
+  - https://urlscan.io/result/e8eb17de-97c5-4e0a-a755-984208e6c35e/
+  - https://urlscan.io/result/224947d7-24c8-4c5f-b67c-236b150e87c2/
+  - https://urlscan.io/result/a40f91d6-fd26-4094-b9c6-70976c0df9d2/
+  - https://urlscan.io/search/#(filename%3A%22assets%2Flayout%2Fapple.css%22)%20AND%20(filename%3A%22assets%2Fimg%2Fajax-loader.gif%22)
+
+detection:
+    stylesheet:
+        html|contains: "href=\"assets/layout/apple.css\""
+
+    titleClassStyle:
+        html|contains: ".Estilo2"
+
+    imageAjaxLoader:
+        html|contains: "src=\"assets/img/ajax-loader.gif\""
+
+    condition: stylesheet and titleClassStyle and imageAjaxLoader
+
+tags:
+    - kit
+    - target.icloud
+    - target.apple