Attachment: Fake Slack installer

calendar Nov 29, 2023  ยท
Share on: linkedin copy

HTML attachment contains a Slack logo, request language, and a link to an executable. Observed in the wild.

Sublime rule (View on GitHub)

 1name: "Attachment: Fake Slack installer"
 2description: |
 3    HTML attachment contains a Slack logo, request language, and a link to an executable. Observed in the wild.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    any(attachments,
10        (
11          .file_extension in~ ("html", "htm", "shtml", "dhtml")
12          or .file_type == "html"
13          or .content_type == "text/html"
14        )
15        and any(ml.logo_detect(file.html_screenshot(.)).brands,
16                .name == "Slack" and .confidence in ("medium", "high")
17        )
18        and any(ml.nlu_classifier(file.parse_html(.).display_text).entities,
19                .name == "request" and .text =~ "download"
20        )
21        and any(file.explode(.),
22                any(.scan.url.urls,
23                    strings.iends_with(.path, ".exe")
24                    and .domain.root_domain not in $org_domains
25                )
26        )
27    )
28  )  
29attack_types:
30  - "Malware/Ransomware"
31tactics_and_techniques:
32  - "Evasion"
33  - "HTML smuggling"
34  - "Impersonation: Brand"
35  - "Scripting"
36  - "Social engineering"
37detection_methods:
38  - "Archive analysis"
39  - "Computer Vision"
40  - "File analysis"
41  - "HTML analysis"
42  - "Natural Language Understanding"
43  - "URL analysis"
44id: "cded2d2f-a5ca-5754-9f2a-d6bdf28baab4"
to-top