Attachment: Double base64-encoded zip file in HTML smuggling attachment
Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
Sublime rule (View on GitHub)
1name: "Attachment: Double base64-encoded zip file in HTML smuggling attachment"
2description: |
3 Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
4references:
5 - "https://twitter.com/pr0xylife/status/1593325734004768770"
6 - "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_qbot_payloads.yar"
7 - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9"
8 - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
9type: "rule"
10severity: "high"
11authors:
12 - twitter: "ajpc500"
13source: |
14 type.inbound
15 and any(attachments,
16 .file_extension in ("html", "htm")
17 and any(file.explode(.),
18 any(.scan.strings.strings,
19 strings.ilike(.,
20 // Double Base64 encoded zips
21 "*VUVzREJCUUFBUUFJQ*",
22 "*VFc0RCQlFBQVFBSU*",
23 "*VRXNEQkJRQUFRQUlB*",
24 // Reversed base64 strings double encoded zips
25 "*QJFUUBFUUCJERzVUV*",
26 "*USBFVQBFlQCR0cFV*",
27 "*BlUQRFUQRJkQENXRV*"
28 )
29 )
30 )
31 )
32tags:
33 - "Malfam: QakBot"
34attack_types:
35 - "Malware/Ransomware"
36 - "Credential Phishing"
37tactics_and_techniques:
38 - "Evasion"
39 - "HTML smuggling"
40 - "Scripting"
41detection_methods:
42 - "Archive analysis"
43 - "Content analysis"
44 - "File analysis"
45 - "HTML analysis"
46 - "Sender analysis"
47id: "61ebb07b-264e-59fb-a82c-d91957991081"
Related rules
- Attachment: Archive with pdf, txt and wsf files
- Attachment: PDF file with low reputation link to ZIP file (unsolicited)
- Attachment: PDF with link to zip containing a wsf file
- Attachment: PDF with suspicious language and redirect to suspicious file type
- Link to auto-downloaded disk image in encrypted zip