Link to auto-downloaded DMG in encrypted zip

Apr 25, 2024 · Malfam: MetaStealer Malfam: AtomicStealer ·

A link in the body of the message downloads an encrypted zip that contains a DMG file.

This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware.

Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient.

Sublime rule (View on GitHub)

 1name: "Link to auto-downloaded DMG in encrypted zip"
 2description: |
 3  A link in the body of the message downloads an encrypted zip that contains a DMG file.
 4
 5  This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware.
 6
 7  Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient.  
 8type: "rule"
 9references:
10  - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/"
11  - "https://www.virustotal.com/gui/file/38c907b0d7866bd73308535847f84b491a1adc39ab7cf0e06f3d535f0388560c/community"
12  - "https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates"
13severity: "high"
14source: |
15  type.inbound
16  and any(body.links,
17          any(ml.link_analysis(.).files_downloaded,
18              any(file.explode(.),
19                  (
20                    any(.flavors.yara, . == "encrypted_zip")
21                    and any(.scan.zip.all_paths,
22                            any([".dmg"], strings.ends_with(.., .))
23                    )
24                  )
25              )
26          )
27  )
28  and (
29    profile.by_sender().prevalence != "common"
30    or (
31      profile.by_sender().any_messages_malicious_or_spam
32      and not profile.by_sender().any_false_positives
33    )
34  )
35
36  // negate highly trusted sender domains unless they fail DMARC authentication
37  and (
38    (
39      sender.email.domain.root_domain in $high_trust_sender_root_domains
40      and not headers.auth_summary.dmarc.pass
41    )
42    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
43  )  
44tags:
45  - "Malfam: MetaStealer"
46  - "Malfam: AtomicStealer"
47attack_types:
48  - "Malware/Ransomware"
49tactics_and_techniques:
50  - "Encryption"
51  - "Evasion"
52  - "Social engineering"
53detection_methods:
54  - "Archive analysis"
55  - "File analysis"
56  - "Sender analysis"
57  - "URL analysis"
58  - "YARA"
59id: "43af98d3-fa3e-5734-9f5b-61f07bc3eae1"

Related rules

Attachment: PDF with link to DMG file download