From cb18c20112404d7dab519d8abd5b65648c983115 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:03:17 +0100
Subject: [PATCH] Update and rename steam-getsiteconfig.yml to
 steam-732d40f3.yml

Modify detection logic to use more robust flags
---
 indicators/steam-732d40f3.yml      | 29 +++++++++++++++++++++++++++++
 indicators/steam-getsiteconfig.yml | 29 -----------------------------
 2 files changed, 29 insertions(+), 29 deletions(-)
 create mode 100644 indicators/steam-732d40f3.yml
 delete mode 100644 indicators/steam-getsiteconfig.yml

diff --git a/indicators/steam-732d40f3.yml b/indicators/steam-732d40f3.yml
new file mode 100644
index 00000000..d13416b5
--- /dev/null
+++ b/indicators/steam-732d40f3.yml
@@ -0,0 +1,29 @@
+title: Steam Phishing Kit 732d40f3
+description: |
+    Detects Steam phishing pages that obtain their template
+    configuration from `/api/getsiteconfig` 
+references:
+  - https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
+  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
+  - https://urlscan.io/result/01e4685b-9001-4843-a50f-a41ad126fc8c
+  - https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
+  - https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
+  - https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
+  - https://urlscan.io/result/2acf7249-7864-4148-aa3a-161286fce118
+
+detection:
+
+    siteConfiguration:
+        requests|contains: "/api/getsiteconfig/"
+        
+    loadedIFrame:
+        dom|contains: '<iframe id="iframe" title="main" name="site" style="height: 0px; width: 0px; border: 0px; outline: none; z-index: 1000;"></iframe>'
+        
+    footerMessage:
+        dom|contains: '<div style="font-size: 1px; font-family: &quot;Support Assets&quot;; color: rgba(0, 0, 0, 0.01);">Hello</div>'
+
+  condition: siteConfiguration and loadedIFrame and footerMessage
+
+tags:
+  - target.steam
+  - threat_actor_country.russia
diff --git a/indicators/steam-getsiteconfig.yml b/indicators/steam-getsiteconfig.yml
deleted file mode 100644
index 7b95bdfb..00000000
--- a/indicators/steam-getsiteconfig.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Steam Phishing Kit getsiteconfig
-
-description: |
-  Steam Phishing Kit with obfuscated javascript pages that use a fake Steam login window to steal user credentials and free 50/100$ gift cards, csgo skins, csgo2 beta or discord nitro as bait.
-
-references:
-  - https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
-  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
-  - https://urlscan.io/result/01e4685b-9001-4843-a50f-a41ad126fc8c
-  - https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
-  - https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
-  - https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
-  - https://urlscan.io/result/2acf7249-7864-4148-aa3a-161286fce118
-
-detection:
-
-  getSiteConfigJson:
-    requests|contains: '/api/getsiteconfig/'
-
-  viewportAndScriptElems:
-    html|contains|all:
-      - '<meta name="viewport" content="width=device-width, initial-scale=1">'
-      - '<script type="module" crossorigin src="/assets/'
-
-  condition: getSiteConfigJson and viewportAndScriptElems
-
-tags:
-  - target.steam
-  - threat_actor_country.russia