From d771f4379bef361920dcf1750da33ee5a09eb077 Mon Sep 17 00:00:00 2001 From: Czdam Date: Sun, 26 May 2024 14:57:13 +0200 Subject: [PATCH 1/8] Add files via upload --- indicators/valorant-phishing-3plew478.yml | 42 +++++++++++++++++++++++ indicators/valorant-phishing-7plil474.yml | 39 +++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 indicators/valorant-phishing-3plew478.yml create mode 100644 indicators/valorant-phishing-7plil474.yml diff --git a/indicators/valorant-phishing-3plew478.yml b/indicators/valorant-phishing-3plew478.yml new file mode 100644 index 00000000..99a421fa --- /dev/null +++ b/indicators/valorant-phishing-3plew478.yml @@ -0,0 +1,42 @@ +title: Valorant Phishing Kit 3plew478 +description: | + Detects Valorant phishing sites. + These sites use Promocodes most common are "Tenz" "Kyedae" "Mrbeast" "Beast". + usually spread on social media. + +references: + - https://www.youtube.com/watch?v=lUL2vgyhsw4 + - https://www.tiktok.com/search/video?q=mrbeast%20valorant + - https://urlscan.io/result/35050e0b-f38d-4671-8728-489538351167/ + - https://urlscan.io/result/fb92d735-7209-48dc-8c06-0c23f013f0ef/ + - https://urlscan.io/result/9ced04ab-e67e-4ac5-9d9c-0993f69f3f55/ + - https://urlscan.io/result/e6f5c3bc-85e6-4fda-a276-709c52ac403b/ + +detection: + + Spin: + dom|contains: '' + + Prize: + dom|contains: '
' + + Path: + dom|contains: 'static/riot' + + Footer: + dom|contains|all: + - 'Inc. Riot Games' + - '

' + + RealDomain: + hostname|endswith: + - .riotgames.com + - .playvalorant.com + - .leagueoflegends.com + + condition: Spin and Prize and not RealDomain or Path and Footer and not RealDomain + +tags: + - kit + - target.valorant + - target.riotgames \ No newline at end of file diff --git a/indicators/valorant-phishing-7plil474.yml b/indicators/valorant-phishing-7plil474.yml new file mode 100644 index 00000000..89cd346c --- /dev/null +++ b/indicators/valorant-phishing-7plil474.yml @@ -0,0 +1,39 @@ +title: Valorant Phishing Kit 3plew478 +description: | + Detects Valorant phishing sites. + These sites use Promocodes most common are "Tenz" "Kyedae" "Mrbeast" "Beast". + Usually spread on social media. + This version detects the login page usually at /login. + +references: + - https://www.youtube.com/watch?v=lUL2vgyhsw4 + - https://www.tiktok.com/search/video?q=mrbeast%20valorant + - https://urlscan.io/result/ceb1f3d8-efed-40b3-85e4-6c9eecd182b7/ + - https://urlscan.io/result/48118e59-979c-48e7-b332-bb802dc5e941/ + - https://urlscan.io/result/5421601f-f2aa-41a5-bf6b-85a264bee2f7/ + +detection: + + Title: + title|contains: 'Sign In' + + Evenodd: + dom|contains|all: + - 'evenodd' + - 'd="M28.7331' + + RealDomain: + hostname|endswith: + - .riotgames.com + - .playvalorant.com + - .leagueoflegends.com + + AfterLogin: + html|contains: 'waiting list!' + + condition: AfterLogin and Title and Evenodd and not RealDomain + +tags: + - kit + - target.valorant + - target.riotgames \ No newline at end of file From 89f26259967f9c505bcd09ddc5d451a085632d3d Mon Sep 17 00:00:00 2001 From: Czdam Date: Sun, 26 May 2024 15:06:51 +0200 Subject: [PATCH 2/8] fix of 7plil474 --- indicators/valorant-phishing-7plil474.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/indicators/valorant-phishing-7plil474.yml b/indicators/valorant-phishing-7plil474.yml index 89cd346c..3feddaa0 100644 --- a/indicators/valorant-phishing-7plil474.yml +++ b/indicators/valorant-phishing-7plil474.yml @@ -1,4 +1,4 @@ -title: Valorant Phishing Kit 3plew478 +title: Valorant Phishing Kit 7plil474 description: | Detects Valorant phishing sites. These sites use Promocodes most common are "Tenz" "Kyedae" "Mrbeast" "Beast". @@ -36,4 +36,4 @@ detection: tags: - kit - target.valorant - - target.riotgames \ No newline at end of file + - target.riotgames From e6de30a99784f0185c67a780aebd02f62f8c966e Mon Sep 17 00:00:00 2001 From: Czdam Date: Sun, 23 Jun 2024 04:17:14 +0200 Subject: [PATCH 3/8] Update valorant-phishing-3plew478.yml --- indicators/valorant-phishing-3plew478.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/indicators/valorant-phishing-3plew478.yml b/indicators/valorant-phishing-3plew478.yml index 99a421fa..58bcc93d 100644 --- a/indicators/valorant-phishing-3plew478.yml +++ b/indicators/valorant-phishing-3plew478.yml @@ -1,6 +1,7 @@ title: Valorant Phishing Kit 3plew478 description: | - Detects Valorant phishing sites. + Detects Valorant phishing sites using a DOM content. + These sites use Promocodes most common are "Tenz" "Kyedae" "Mrbeast" "Beast". usually spread on social media. From 24723f7a94c310d09512a5531ae7fba8f4b02431 Mon Sep 17 00:00:00 2001 From: Czdam Date: Sun, 23 Jun 2024 04:17:35 +0200 Subject: [PATCH 4/8] Update valorant-phishing-7plil474.yml --- indicators/valorant-phishing-7plil474.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/indicators/valorant-phishing-7plil474.yml b/indicators/valorant-phishing-7plil474.yml index 3feddaa0..c2c04fa3 100644 --- a/indicators/valorant-phishing-7plil474.yml +++ b/indicators/valorant-phishing-7plil474.yml @@ -1,6 +1,7 @@ title: Valorant Phishing Kit 7plil474 description: | - Detects Valorant phishing sites. + Detects Valorant phishing sites using a DOM content. + These sites use Promocodes most common are "Tenz" "Kyedae" "Mrbeast" "Beast". Usually spread on social media. This version detects the login page usually at /login. From 3813cb679db62f32ebd6663ccad39b6dc70bd45b Mon Sep 17 00:00:00 2001 From: Czdam Date: Thu, 24 Apr 2025 18:11:57 +0200 Subject: [PATCH 5/8] Removes reference --- indicators/valorant-phishing-3plew478.yml | 3 +-- indicators/valorant-phishing-7plil474.yml | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/indicators/valorant-phishing-3plew478.yml b/indicators/valorant-phishing-3plew478.yml index 58bcc93d..55f2b968 100644 --- a/indicators/valorant-phishing-3plew478.yml +++ b/indicators/valorant-phishing-3plew478.yml @@ -1,12 +1,11 @@ title: Valorant Phishing Kit 3plew478 description: | - Detects Valorant phishing sites using a DOM content. + Detects Valorant phishing sites using a DOM content. These sites use Promocodes most common are "Tenz" "Kyedae" "Mrbeast" "Beast". usually spread on social media. references: - - https://www.youtube.com/watch?v=lUL2vgyhsw4 - https://www.tiktok.com/search/video?q=mrbeast%20valorant - https://urlscan.io/result/35050e0b-f38d-4671-8728-489538351167/ - https://urlscan.io/result/fb92d735-7209-48dc-8c06-0c23f013f0ef/ diff --git a/indicators/valorant-phishing-7plil474.yml b/indicators/valorant-phishing-7plil474.yml index c2c04fa3..4a5f6f6f 100644 --- a/indicators/valorant-phishing-7plil474.yml +++ b/indicators/valorant-phishing-7plil474.yml @@ -1,13 +1,12 @@ title: Valorant Phishing Kit 7plil474 description: | - Detects Valorant phishing sites using a DOM content. + Detects Valorant phishing sites using a DOM content. These sites use Promocodes most common are "Tenz" "Kyedae" "Mrbeast" "Beast". Usually spread on social media. This version detects the login page usually at /login. references: - - https://www.youtube.com/watch?v=lUL2vgyhsw4 - https://www.tiktok.com/search/video?q=mrbeast%20valorant - https://urlscan.io/result/ceb1f3d8-efed-40b3-85e4-6c9eecd182b7/ - https://urlscan.io/result/48118e59-979c-48e7-b332-bb802dc5e941/ From 06bf6bc01e9c044e3d363397465942161d2f8fae Mon Sep 17 00:00:00 2001 From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com> Date: Thu, 24 Apr 2025 20:59:47 +0100 Subject: [PATCH 6/8] Update valorant-phishing-7plil474.yml Modifications. --- indicators/valorant-phishing-7plil474.yml | 41 ++++++++++------------- 1 file changed, 17 insertions(+), 24 deletions(-) diff --git a/indicators/valorant-phishing-7plil474.yml b/indicators/valorant-phishing-7plil474.yml index 4a5f6f6f..5057581d 100644 --- a/indicators/valorant-phishing-7plil474.yml +++ b/indicators/valorant-phishing-7plil474.yml @@ -1,11 +1,9 @@ title: Valorant Phishing Kit 7plil474 description: | - Detects Valorant phishing sites using a DOM content. - - These sites use Promocodes most common are "Tenz" "Kyedae" "Mrbeast" "Beast". - Usually spread on social media. - This version detects the login page usually at /login. - + Detects a phishing kit targeting Valorant players. It is typically spread on + social media platforms such as TikTok, often luring in gamers using popular + figures such as Tenz, Kyedae and MrBeast. + references: - https://www.tiktok.com/search/video?q=mrbeast%20valorant - https://urlscan.io/result/ceb1f3d8-efed-40b3-85e4-6c9eecd182b7/ @@ -14,24 +12,19 @@ references: detection: - Title: - title|contains: 'Sign In' - - Evenodd: - dom|contains|all: - - 'evenodd' - - 'd="M28.7331' - - RealDomain: - hostname|endswith: - - .riotgames.com - - .playvalorant.com - - .leagueoflegends.com - - AfterLogin: - html|contains: 'waiting list!' - - condition: AfterLogin and Title and Evenodd and not RealDomain + requests: + requests|endswith|all: + - '/login' + - 'logins.css' + - '/t/1.css?apiType=css&projectid=dce2cd3c-2b49-496c-8fe8-f7eedea7aa2b' + + jsVariables: + js|contains|all: + - 'makeid' + - 'rqdata_token' + - 'login_mfa' + + condition: requests and jsVariables tags: - kit From 2d5de506dae2240113558e9d94c967581fc57766 Mon Sep 17 00:00:00 2001 From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com> Date: Thu, 24 Apr 2025 21:17:47 +0100 Subject: [PATCH 7/8] Update and rename valorant-phishing-3plew478.yml to valorant-landing-page-7plil474.yml Modifications --- indicators/valorant-landing-page-7plil474.yml | 28 +++++++++++++ indicators/valorant-phishing-3plew478.yml | 42 ------------------- 2 files changed, 28 insertions(+), 42 deletions(-) create mode 100644 indicators/valorant-landing-page-7plil474.yml delete mode 100644 indicators/valorant-phishing-3plew478.yml diff --git a/indicators/valorant-landing-page-7plil474.yml b/indicators/valorant-landing-page-7plil474.yml new file mode 100644 index 00000000..49eec5cd --- /dev/null +++ b/indicators/valorant-landing-page-7plil474.yml @@ -0,0 +1,28 @@ +title: Valorant Phishing Kit Landing Page 7plil474 +description: | + Detects the landing pages used by the phishing kit detected by the valorant-7plil474 rule. +references: + - https://www.tiktok.com/search/video?q=mrbeast%20valorant + - https://urlscan.io/result/35050e0b-f38d-4671-8728-489538351167/ + - https://urlscan.io/result/fb92d735-7209-48dc-8c06-0c23f013f0ef/ + - https://urlscan.io/result/9ced04ab-e67e-4ac5-9d9c-0993f69f3f55/ + - https://urlscan.io/result/e6f5c3bc-85e6-4fda-a276-709c52ac403b/ +related: + - id: valorant-7plil474 + +detection: + + jsVariables: + js|contains|all: + - 'start' + - 'checkAlreadyGot' + - 'getItem' + - 'getRandom' + - 'generateItems' + + condition: jsVariables + +tags: + - kit + - target.valorant + - target.riotgames diff --git a/indicators/valorant-phishing-3plew478.yml b/indicators/valorant-phishing-3plew478.yml deleted file mode 100644 index 55f2b968..00000000 --- a/indicators/valorant-phishing-3plew478.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Valorant Phishing Kit 3plew478 -description: | - Detects Valorant phishing sites using a DOM content. - - These sites use Promocodes most common are "Tenz" "Kyedae" "Mrbeast" "Beast". - usually spread on social media. - -references: - - https://www.tiktok.com/search/video?q=mrbeast%20valorant - - https://urlscan.io/result/35050e0b-f38d-4671-8728-489538351167/ - - https://urlscan.io/result/fb92d735-7209-48dc-8c06-0c23f013f0ef/ - - https://urlscan.io/result/9ced04ab-e67e-4ac5-9d9c-0993f69f3f55/ - - https://urlscan.io/result/e6f5c3bc-85e6-4fda-a276-709c52ac403b/ - -detection: - - Spin: - dom|contains: '' - - Prize: - dom|contains: '

' - - Path: - dom|contains: 'static/riot' - - Footer: - dom|contains|all: - - 'Inc. Riot Games' - - '

' - - RealDomain: - hostname|endswith: - - .riotgames.com - - .playvalorant.com - - .leagueoflegends.com - - condition: Spin and Prize and not RealDomain or Path and Footer and not RealDomain - -tags: - - kit - - target.valorant - - target.riotgames \ No newline at end of file From 3117864d4de42c8dac76a907920061bb4d0181aa Mon Sep 17 00:00:00 2001 From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com> Date: Thu, 24 Apr 2025 21:19:05 +0100 Subject: [PATCH 8/8] Update and rename valorant-phishing-7plil474.yml to valorant-7plil474.yml --- .../{valorant-phishing-7plil474.yml => valorant-7plil474.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename indicators/{valorant-phishing-7plil474.yml => valorant-7plil474.yml} (100%) diff --git a/indicators/valorant-phishing-7plil474.yml b/indicators/valorant-7plil474.yml similarity index 100% rename from indicators/valorant-phishing-7plil474.yml rename to indicators/valorant-7plil474.yml