Link to auto-downloaded disk image in encrypted zip
A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.
Sublime rule (View on GitHub)
1name: "Link to auto-downloaded disk image in encrypted zip"
2description: |
3 A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.
4type: "rule"
5references:
6 - "https://twitter.com/pr0xylife/status/1592502966409654272"
7 - "https://delivr.to/payloads?id=ca00292e-d5a2-43f9-b638-6c0b01b73353"
8 - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
9 - "https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/"
10severity: "medium"
11authors:
12 - twitter: "ajpc500"
13source: |
14 type.inbound
15 and any(body.links,
16 any(ml.link_analysis(.).files_downloaded,
17 any(file.explode(.),
18 (
19 any(.flavors.yara, . == "encrypted_zip")
20 and any(.scan.zip.all_paths,
21 any([".img", ".iso", ".vhd"], strings.ends_with(.., .))
22 )
23 )
24 )
25 )
26 )
27 and (
28 profile.by_sender().prevalence in ("new", "outlier")
29 or (
30 profile.by_sender().any_messages_malicious_or_spam
31 and not profile.by_sender().any_false_positives
32 )
33 )
34tags:
35 - "Malfam: QakBot"
36attack_types:
37 - "Malware/Ransomware"
38tactics_and_techniques:
39 - "Encryption"
40 - "Evasion"
41 - "Social engineering"
42detection_methods:
43 - "Archive analysis"
44 - "File analysis"
45 - "Sender analysis"
46 - "URL analysis"
47 - "YARA"
48id: "b50f0cb1-67b8-570c-9b34-0de08ff52508"