Brand impersonation: ukr[.]net

calendar Aug 21, 2023  ·
Share on: linkedin copy

Impersonation of ukr[.]net.

Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate ukr[.]net to steal user credentials. "Compromised mailboxes are used by the Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."

Sublime rule (View on GitHub)

 1name: "Brand impersonation: ukr[.]net"
 2description: |
 3  Impersonation of ukr[.]net.
 4
 5  Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate
 6  ukr[.]net to steal user credentials. "Compromised mailboxes are used by the
 7  Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."  
 8references:
 9  - "https://www.facebook.com/UACERT/posts/317482093744389"
10  - "https://www.facebook.com/UACERT/posts/317539153738683"
11  - "https://twitter.com/thehackersnews/status/1500824885957857280?s=21"
12  - "https://thehackernews.com/2022/03/ukrainian-cert-warns-citizens-of.html"
13type: "rule"
14severity: "medium"
15source: |
16  type.inbound
17  and (
18    (
19      // technique
20      strings.ilike(sender.display_name, "ukr*net")
21      and sender.email.domain.root_domain != "ukr.net"
22    )
23    or (
24      // IOCs
25      subject.subject == "Увага"
26      and (
27        sender.email.email in (
28          "muthuprakash.b@tvsrubber.com",
29          "rakesh.ict@msruas.ac.in",
30          "omars@salecharter.net",
31          "citi.in.pm@xerago.com",
32          "qs@gsengint.com",
33          "sec.ls@msruas.ac.in",
34          "vaishnavi.kj@tvsrubber.com",
35          "nshcorp@nshcorp.in",
36          "purchase2@hitechelastomers.com",
37          "productionbelgavi@hodekindia.com",
38          "narayanababu.py.ph@msruas.ac.in",
39          "roopa.tsld@msruas.ac.in",
40          "in-nonciti.basupport@xerago.com",
41          "info@empiink.com",
42          "pooja.fa@msruas.ac.in",
43          "babu.d@tvsrubber.com",
44          "systeam@xerago.com",
45          "dean.ds@msruas.ac.in",
46        )
47        or any(body.links, .href_url.domain.domain == "consumerspanel.frge.io")
48      )
49    )
50  )  
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "Impersonation: Brand"
55  - "Social engineering"
56detection_methods:
57  - "Sender analysis"
58  - "Threat intelligence"
59id: "3cb4015f-1e35-5bba-8d83-d5ed3dfff011"
to-top