Attachment: PDF with link to DMG file download

Apr 25, 2024 · Malfam: MetaStealer ·

This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with link to DMG file download"
 2description: |
 3    This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware. 
 4references:
 5  - "https://thehackernews.com/2023/09/beware-metastealer-malware-targets.html"
 6  - "https://duo.com/decipher/new-metastealer-malware-targets-macos-users"
 7  - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and any(attachments,
13          .file_type == "pdf"
14          and any(file.explode(.),
15                  any(.scan.url.urls,
16  
17                      // url links to dmg or zip
18                      (
19                        strings.iends_with(.url, ".dmg") or strings.iends_with(.url, "zip")
20                      )
21  
22                      // and downloads a dmg or a zip
23                      and any(ml.link_analysis(.).files_downloaded,
24                              (
25                                .file_extension == "dmg"
26                                or (
27                                  .file_extension in~ $file_extensions_common_archives
28  
29                                  // and the zip contains a dmg file
30                                  and any(file.explode(.),
31                                          (.file_extension =~ "dmg")
32  
33                                          // exif inspection if encrypted
34                                          or strings.ends_with(.scan.exiftool.zip_file_name, ".dmg")
35                                  )
36                                )
37                              )
38                      )
39                  )
40          )
41  )
42  and (
43    profile.by_sender().prevalence in ("new", "outlier")
44    or (
45      profile.by_sender().any_messages_malicious_or_spam
46      and not profile.by_sender().any_false_positives
47    )
48  )  
49tags: 
50  - "Malfam: MetaStealer"
51attack_types:
52  - "Malware/Ransomware"
53tactics_and_techniques:
54  - "Evasion"
55  - "PDF"
56detection_methods:
57  - "Archive analysis"
58  - "Content analysis"
59  - "File analysis"
60  - "URL analysis"
61  
62id: "2c486fe0-506d-5498-bb19-dbe58904f9dc"

Related rules

Link to auto-downloaded DMG in encrypted zip