Attachment: HTML smuggling with embedded base64-encoded ISO

calendar Aug 21, 2023  ยท
Share on: linkedin copy

HTML attachment contains a base-64 encoded ISO. This is a known TTP for multiple threat actors.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with embedded base64-encoded ISO"
 2description: |
 3    HTML attachment contains a base-64 encoded ISO. This is a known TTP for multiple threat actors.
 4references:
 5  - "https://delivr.to/payloads?id=cf6c9867-4358-4b3b-b7eb-3432ac39e71d"
 6  - "https://playground.sublimesecurity.com?id=78587abf-1027-4c6c-9edf-c1bd928de97a"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(attachments,
12          (
13            .file_extension in~ ("html", "htm")
14            or .file_extension in~ $file_extensions_common_archives
15            or .file_type == "html"
16          )
17          and any(file.explode(.),
18                  any(.scan.strings.strings,
19                      strings.ilike(.,
20                                    // Base64 encoded ISOs
21                                    "*SVNPIDk2NjAvSEZT*",
22                                    "*MTk5MyBFLllPVU5HREFMRQ*",
23                                    // Reversed base64 encoded ISOs
24                                    "*TZESvAjN2kDIPNVS*",
25                                    "*QRMFERH5UVPllLFByM5kTM*"
26                      )
27                  )
28          )
29  )  
30attack_types:
31  - "Credential Phishing"
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Evasion"
35  - "HTML smuggling"
36  - "ISO"
37detection_methods:
38  - "Archive analysis"
39  - "Content analysis"
40  - "File analysis"
41  - "HTML analysis"
42  - "Sender analysis"
43id: "294ecd2d-bc98-5a67-850a-60a1a29aea76"
to-top