Brand impersonation: ukr[.]net
Impersonation of ukr[.]net.
Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate ukr[.]net to steal user credentials. "Compromised mailboxes are used by the Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."
Sublime rule (View on GitHub)
1name: "Brand impersonation: ukr[.]net"
2description: |
3 Impersonation of ukr[.]net.
4
5 Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate
6 ukr[.]net to steal user credentials. "Compromised mailboxes are used by the
7 Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."
8references:
9 - "https://www.facebook.com/UACERT/posts/317482093744389"
10 - "https://www.facebook.com/UACERT/posts/317539153738683"
11 - "https://twitter.com/thehackersnews/status/1500824885957857280?s=21"
12 - "https://thehackernews.com/2022/03/ukrainian-cert-warns-citizens-of.html"
13type: "rule"
14severity: "medium"
15source: |
16 type.inbound
17 and (
18 (
19 // technique
20 strings.ilike(sender.display_name, "ukr*net")
21 and sender.email.domain.root_domain != "ukr.net"
22 )
23 or (
24 // IOCs
25 subject.subject == "Увага"
26 and (
27 sender.email.email in (
28 "muthuprakash.b@tvsrubber.com",
29 "rakesh.ict@msruas.ac.in",
30 "omars@salecharter.net",
31 "citi.in.pm@xerago.com",
32 "qs@gsengint.com",
33 "sec.ls@msruas.ac.in",
34 "vaishnavi.kj@tvsrubber.com",
35 "nshcorp@nshcorp.in",
36 "purchase2@hitechelastomers.com",
37 "productionbelgavi@hodekindia.com",
38 "narayanababu.py.ph@msruas.ac.in",
39 "roopa.tsld@msruas.ac.in",
40 "in-nonciti.basupport@xerago.com",
41 "info@empiink.com",
42 "pooja.fa@msruas.ac.in",
43 "babu.d@tvsrubber.com",
44 "systeam@xerago.com",
45 "dean.ds@msruas.ac.in",
46 )
47 or any(body.links, .href_url.domain.domain == "consumerspanel.frge.io")
48 )
49 )
50 )
51attack_types:
52 - "Credential Phishing"
53tactics_and_techniques:
54 - "Impersonation: Brand"
55 - "Social engineering"
56detection_methods:
57 - "Sender analysis"
58 - "Threat intelligence"
59id: "3cb4015f-1e35-5bba-8d83-d5ed3dfff011"