Attachment: PDF with link to DMG file download

This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with link to DMG file download"
 2description: |
 3    This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware. 
 4references:
 5  - "https://thehackernews.com/2023/09/beware-metastealer-malware-targets.html"
 6  - "https://duo.com/decipher/new-metastealer-malware-targets-macos-users"
 7  - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and any(attachments,
13          .file_type == "pdf"
14          and any(file.explode(.),
15                  any(.scan.url.urls,
16  
17                      // url links to dmg or zip
18                      (
19                        strings.iends_with(.url, ".dmg")
20                        or strings.iends_with(.url, "zip")
21                      )
22  
23                      // and downloads a dmg or a zip
24                      and any(ml.link_analysis(.).files_downloaded,
25                              (
26                                .file_extension == "dmg"
27                                or (
28                                  .file_extension in~ $file_extensions_common_archives
29  
30                                  // and the zip contains a dmg file
31                                  and any(file.explode(.),
32                                          (.file_extension =~ "dmg")
33  
34                                          // exif inspection if encrypted
35                                          or strings.ends_with(.scan.exiftool.zip_file_name,
36                                                               ".dmg"
37                                          )
38                                  )
39                                )
40                              )
41                      )
42                  )
43          )
44  )
45  and (
46    profile.by_sender().prevalence in ("new", "outlier")
47    or (
48      profile.by_sender().any_messages_malicious_or_spam
49      and not profile.by_sender().any_messages_benign
50    )
51  )  
52tags: 
53  - "Malfam: MetaStealer"
54attack_types:
55  - "Malware/Ransomware"
56tactics_and_techniques:
57  - "Evasion"
58  - "PDF"
59detection_methods:
60  - "Archive analysis"
61  - "Content analysis"
62  - "File analysis"
63  - "URL analysis"
64  
65id: "2c486fe0-506d-5498-bb19-dbe58904f9dc"

Related rules

to-top