Link to auto-downloaded disk image in encrypted zip

 1name: "Link to auto-downloaded disk image in encrypted zip"
 2description: |
 3    A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.
 4type: "rule"
 5references:
 6  - "https://twitter.com/pr0xylife/status/1592502966409654272"
 7  - "https://delivr.to/payloads?id=ca00292e-d5a2-43f9-b638-6c0b01b73353"
 8  - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
 9  - "https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/"
10severity: "medium"
11authors:
12  - twitter: "ajpc500"
13source: |
14  type.inbound
15  and any(body.links,
16          any(ml.link_analysis(.).files_downloaded,
17              any(file.explode(.),
18                  (
19                    any(.flavors.yara, . == "encrypted_zip")
20                    and any(.scan.zip.all_paths,
21                            any([".img", ".iso", ".vhd"],
22                                strings.ends_with(.., .)
23                            )
24                    )
25                  )
26              )
27          )
28  )
29  and (
30    profile.by_sender().prevalence in ("new", "outlier")
31    or (
32      profile.by_sender().any_messages_malicious_or_spam
33      and not profile.by_sender().any_messages_benign
34    )
35  )  
36tags:
37  - "Malfam: QakBot"
38attack_types:
39  - "Malware/Ransomware"
40tactics_and_techniques:
41  - "Encryption"
42  - "Evasion"
43  - "Social engineering"
44detection_methods:
45  - "Archive analysis"
46  - "File analysis"
47  - "Sender analysis"
48  - "URL analysis"
49  - "YARA"
50id: "b50f0cb1-67b8-570c-9b34-0de08ff52508"