Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment

Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.

Sublime rule (View on GitHub)

 1name: "Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment"
 2description: |
 3    Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
 4references:
 5  - "https://twitter.com/pr0xylife/status/1593325734004768770"
 6  - "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_qbot_payloads.yar"
 7  - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9"
 8  - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
 9type: "rule"
10severity: "high"
11authors:
12  - twitter: "ajpc500"
13source: |
14  type.inbound
15  and (
16    profile.by_sender().prevalence in ("new", "outlier")
17    or (
18      profile.by_sender().any_messages_malicious_or_spam
19      and not profile.by_sender().any_false_positives
20    )
21  )
22  and any(attachments,
23          .file_extension in ("html", "htm")
24          and any(file.explode(.),
25                  any(.scan.strings.strings,
26                      strings.ilike(.,
27                                    // Double Base64 encoded zips
28                                    "*VUVzREJCUUFBUUFJQ*",
29                                    "*VFc0RCQlFBQVFBSU*",
30                                    "*VRXNEQkJRQUFRQUlB*",
31                                    // Reversed base64 strings double encoded zips
32                                    "*QJFUUBFUUCJERzVUV*",
33                                    "*USBFVQBFlQCR0cFV*",
34                                    "*BlUQRFUQRJkQENXRV*"
35                      )
36                  )
37          )
38  )  
39tags:
40  - "Malfam: QakBot"
41attack_types:
42  - "Malware/Ransomware"
43  - "Credential Phishing"
44tactics_and_techniques:
45  - "Evasion"
46  - "HTML smuggling"
47  - "Scripting"
48detection_methods:
49  - "Archive analysis"
50  - "Content analysis"
51  - "File analysis"
52  - "HTML analysis"
53  - "Sender analysis"
54id: "61ebb07b-264e-59fb-a82c-d91957991081"

Related rules

to-top