Attachment: Archive with embedded EXE file

Recursively scans files and archives to detect embedded EXE files (with an MZ header).

According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an attack that used this technique to the "special services of the Russian Federation".

The spear-phishing operation urged recipients to download a RAR archive included in the email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe) that tried to pass as a PDF file.

Sublime rule (View on GitHub)

 1name: "Attachment: Archive with embedded EXE file"
 2description: |
 3  Recursively scans files and archives to detect embedded EXE files (with an MZ header).
 4
 5  According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an 
 6  attack that used this technique to the "special services of the Russian Federation".
 7
 8  The spear-phishing operation urged recipients to download a RAR archive included in the 
 9  email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe)
10  that tried to pass as a PDF file.  
11references:
12  - "https://therecord.media/ukraine-warns-of-massive-russian-spear-phishing-campaign/"
13type: "rule"
14severity: "high"
15source: |
16  type.inbound
17  and any(attachments,
18          (
19            .file_extension in~ $file_extensions_common_archives
20            or .file_type == "rar"
21          )
22          and any(file.explode(.),
23                  // the YARA scanner alone can be a bit unreliable,
24                  // it's matched on MZ strings in a text file before
25                  any(.flavors.yara, . == "mz_file")
26                  and strings.starts_with(.flavors.mime, "application")
27          )
28  )  
29attack_types:
30  - "Malware/Ransomware"
31tactics_and_techniques:
32  - "Evasion"
33detection_methods:
34  - "Archive analysis"
35  - "File analysis"
36  - "YARA"
37id: "e2b0ad86-1264-567e-b7c4-78d7ddbe7722"
to-top