Attachment: Fake Zoom installer

calendar Nov 29, 2023  ยท
Share on: linkedin copy

HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.

Sublime rule (View on GitHub)

 1name: "Attachment: Fake Zoom installer"
 2description: |
 3    HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("html", "htm", "shtml", "dhtml")
11            or .file_type == "html"
12            or .content_type == "text/html"
13          )
14          and any(ml.logo_detect(file.html_screenshot(.)).brands,
15                  .name == "Zoom" and .confidence in ("medium", "high")
16          )
17          and any(ml.nlu_classifier(file.parse_html(.).display_text).entities,
18                  .name == "request" and .text =~ "download"
19          )
20          and any(file.explode(.),
21                  any(.scan.url.urls,
22                      strings.iends_with(.path, ".exe")
23                      and .domain.root_domain not in $org_domains
24                  )
25          )
26  )  
27attack_types:
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Evasion"
31  - "HTML smuggling"
32  - "Impersonation: Brand"
33  - "Scripting"
34  - "Social engineering"
35detection_methods:
36  - "Archive analysis"
37  - "Computer Vision"
38  - "File analysis"
39  - "HTML analysis"
40  - "Natural Language Understanding"
41  - "URL analysis"
42id: "840a12a6-a796-5e73-b975-1d1b5f745aea"
to-top