Create indicator: Chenlun Phishing Kit 88426540 (#235)

* add yml * Update and rename rakuten-88426540.yml to Config-88426540.yml Detect phishing sites that use ResourceRedConfig.js and urlConfig.json * Update Config-88426540.yml fix * Update and rename Config-88426540.yml to chenlun-88426540.yml --------- Co-authored-by: masaomi346 <[email protected]> Co-authored-by: IlluminatiFish <[email protected]>
phish-report · Feb 9, 2024 · ba530e3 · ba530e3
1 parent 3539e89
commit ba530e3
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/indicators/chenlun-88426540.yml b/indicators/chenlun-88426540.yml
@@ -0,0 +1,30 @@
+title: Chenlun Phishing Kit 88426540
+description: |
+    Detect phishing sites that contain two distinctive
+    files named ResourceRedConfig.js and urlConfig.json.
+
+    These files are indicative of a phishing kit developed
+    by a Chinese threat actor named Chenlun.
+references:
+  - https://urlscan.io/result/88426540-8f66-4fe2-b8f2-526e7025ace7
+  - https://urlscan.io/result/05189f5c-f969-45da-a6fd-d3fec490f0f7
+  - https://urlscan.io/result/d4886a4c-114a-4a0a-9b07-614fddc6171f
+  - https://www.domaintools.com/resources/blog/merry-phishmas-beware-us-postal-service-phishing-during-the-holidays/
+  - https://g0njxa.medium.com/chenlun-a-worldwide-phishing-carding-campaigns-provider-a45c4fed6d1b
+
+detection:
+
+    configScript:
+        requests|contains: 'ResourceRedConfig.js'
+
+    urlConfig:
+        requests|endswith: '/ResourceConfig/urlConfig.json'
+
+    condition: configScript and urlConfig
+
+tags:
+  - kit
+  - threat_actor_country.china
+  - threat_actor.chenlun
+  - target_country.global
+