Link to auto-downloaded disk image in encrypted zip

 1name: "Link to auto-downloaded disk image in encrypted zip"
 2description: |
 3    A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.
 4type: "rule"
 5references:
 6  - "https://twitter.com/pr0xylife/status/1592502966409654272"
 7  - "https://delivr.to/payloads?id=ca00292e-d5a2-43f9-b638-6c0b01b73353"
 8  - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
 9  - "https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/"
10severity: "medium"
11authors:
12  - twitter: "ajpc500"
13source: |
14  type.inbound
15  and any(body.links,
16          any(beta.linkanalysis(.).files_downloaded,
17              any(file.explode(.),
18                  (
19                    any(.flavors.yara, . == "encrypted_zip")
20                    and any(.scan.zip.all_paths,
21                            any([".img", ".iso", ".vhd"], strings.ends_with(.., .))
22                    )
23                  )
24              )
25          )
26  )
27  // first-time sender
28  and (
29    (
30      sender.email.domain.root_domain in $free_email_providers
31      and sender.email.email not in $sender_emails
32    )
33    or (
34      sender.email.domain.root_domain not in $free_email_providers
35      and sender.email.domain.domain not in $sender_domains
36    )
37  )  
38tags:
39  - "Malfam: QakBot"
40attack_types:
41  - "Malware/Ransomware"
42tactics_and_techniques:
43  - "Encryption"
44  - "Evasion"
45  - "Social engineering"
46detection_methods:
47  - "Archive analysis"
48  - "File analysis"
49  - "Sender analysis"
50  - "URL analysis"
51  - "YARA"
52id: "b50f0cb1-67b8-570c-9b34-0de08ff52508"