Attachment: PDF with link to DMG file download

calendar Sep 13, 2023 · Malfam: MetaStealer  ·
Share on: linkedin copy

This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with link to DMG file download"
 2description: |
 3    This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware. 
 4references:
 5  - "https://thehackernews.com/2023/09/beware-metastealer-malware-targets.html"
 6  - "https://duo.com/decipher/new-metastealer-malware-targets-macos-users"
 7  - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/​"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and any(attachments,
13          .file_type == "pdf"
14          and any(file.explode(.),
15                  any(.scan.url.urls,
16  
17                      // url links to dmg or zip
18                      (
19                        strings.iends_with(.url, ".dmg") or strings.iends_with(.url, "zip")
20                      )
21  
22                      // and downloads a dmg or a zip
23                      and any(beta.linkanalysis(.).files_downloaded,
24                              (
25                                .file_extension == "dmg"
26                                or (
27                                  .file_extension in~ $file_extensions_common_archives
28  
29                                  // and the zip contains a dmg file
30                                  and any(file.explode(.),
31                                          (.file_extension =~ "dmg")
32  
33                                          // exif inspection if encrypted
34                                          or strings.ends_with(.scan.exiftool.zip_file_name, ".dmg")
35                                  )
36                                )
37                              )
38                      )
39                  )
40          )
41  )
42  
43  
44  // first time sender
45  and (
46    (
47      sender.email.domain.root_domain in $free_email_providers
48      and sender.email.email not in $sender_emails
49    )
50    or (
51      sender.email.domain.root_domain not in $free_email_providers
52      and sender.email.domain.domain not in $sender_domains
53    )
54  )  
55tags: 
56  - "Malfam: MetaStealer"
57attack_types:
58  - "Malware/Ransomware"
59tactics_and_techniques:
60  - "Evasion"
61  - "PDF"
62detection_methods:
63  - "Archive analysis"
64  - "Content analysis"
65  - "File analysis"
66  - "URL analysis"
67  
68id: "2c486fe0-506d-5498-bb19-dbe58904f9dc"
to-top