Link to auto-downloaded disk image in encrypted zip

 1name: "Link to auto-downloaded disk image in encrypted zip"
 2description: |
 3    A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.
 4type: "rule"
 5references:
 6  - "https://twitter.com/pr0xylife/status/1592502966409654272"
 7  - "https://delivr.to/payloads?id=ca00292e-d5a2-43f9-b638-6c0b01b73353"
 8  - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
 9  - "https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/"
10severity: "medium"
11authors:
12  - twitter: "ajpc500"
13source: |
14  type.inbound
15  and any(body.links,
16          any(ml.link_analysis(.).files_downloaded,
17              any(file.explode(.),
18                  (
19                    any(.flavors.yara, . == "encrypted_zip")
20                    and any(.scan.zip.all_paths,
21                            any([".img", ".iso", ".vhd"], strings.ends_with(.., .))
22                    )
23                  )
24              )
25          )
26  )
27  and (
28    profile.by_sender().prevalence in ("new", "outlier")
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_false_positives
32    )
33  )  
34tags:
35  - "Malfam: QakBot"
36attack_types:
37  - "Malware/Ransomware"
38tactics_and_techniques:
39  - "Encryption"
40  - "Evasion"
41  - "Social engineering"
42detection_methods:
43  - "Archive analysis"
44  - "File analysis"
45  - "Sender analysis"
46  - "URL analysis"
47  - "YARA"
48id: "b50f0cb1-67b8-570c-9b34-0de08ff52508"