Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment

calendar Aug 21, 2023 · Malfam: QakBot  ·
Share on: linkedin copy

Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.

Sublime rule (View on GitHub)

 1name: "Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment"
 2description: |
 3    Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
 4references:
 5  - "https://twitter.com/pr0xylife/status/1593325734004768770"
 6  - "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_qbot_payloads.yar"
 7  - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9"
 8  - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
 9type: "rule"
10severity: "high"
11authors:
12  - twitter: "ajpc500"
13source: |
14  type.inbound
15  and (
16    (
17      sender.email.domain.root_domain in $free_email_providers
18      and sender.email.email not in $sender_emails
19    )
20    or (
21      sender.email.domain.root_domain not in $free_email_providers
22      and sender.email.domain.domain not in $sender_domains
23    )
24  )
25  and any(attachments,
26          .file_extension in ("html", "htm")
27          and any(file.explode(.),
28                  any(.scan.strings.strings,
29                      strings.ilike(.,
30                                    // Double Base64 encoded zips
31                                    "*VUVzREJCUUFBUUFJQ*",
32                                    "*VFc0RCQlFBQVFBSU*",
33                                    "*VRXNEQkJRQUFRQUlB*",
34                                    // Reversed base64 strings double encoded zips
35                                    "*QJFUUBFUUCJERzVUV*",
36                                    "*USBFVQBFlQCR0cFV*",
37                                    "*BlUQRFUQRJkQENXRV*"
38                      )
39                  )
40          )
41  )  
42tags:
43  - "Malfam: QakBot"
44attack_types:
45  - "Malware/Ransomware"
46  - "Credential Phishing"
47tactics_and_techniques:
48  - "Evasion"
49  - "HTML smuggling"
50  - "Scripting"
51detection_methods:
52  - "Archive analysis"
53  - "Content analysis"
54  - "File analysis"
55  - "HTML analysis"
56  - "Sender analysis"
57id: "61ebb07b-264e-59fb-a82c-d91957991081"

Related rules

to-top