Link to auto-downloaded DMG in encrypted zip

A link in the body of the message downloads an encrypted zip that contains a DMG file.

This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware.

Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient.

Sublime rule (View on GitHub)

 1name: "Link to auto-downloaded DMG in encrypted zip"
 2description: |
 3  A link in the body of the message downloads an encrypted zip that contains a DMG file.
 4
 5  This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware.
 6
 7  Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient.  
 8type: "rule"
 9references:
10  - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/"
11  - "https://www.virustotal.com/gui/file/38c907b0d7866bd73308535847f84b491a1adc39ab7cf0e06f3d535f0388560c/community"
12  - "https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates"
13severity: "high"
14source: |
15  type.inbound
16  and any(body.links,
17          any(beta.linkanalysis(.).files_downloaded,
18              any(file.explode(.),
19                  (
20                    any(.flavors.yara, . == "encrypted_zip")
21                    and any(.scan.zip.all_paths,
22                            any([".dmg"], strings.ends_with(.., .))
23                    )
24                  )
25              )
26          )
27  )
28  and (
29    profile.by_sender().prevalence != "common"
30    or (
31      profile.by_sender().any_messages_malicious_or_spam
32      and not profile.by_sender().any_false_positives
33    )
34  )
35
36  // negate highly trusted sender domains unless they fail DMARC authentication
37  and (
38    (
39      sender.email.domain.root_domain in $high_trust_sender_root_domains
40      and (
41        any(distinct(headers.hops, .authentication_results.dmarc is not null),
42            strings.ilike(.authentication_results.dmarc, "*fail")
43        )
44      )
45    )
46    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
47  )  
48tags:
49  - "Malfam: MetaStealer"
50  - "Malfam: AtomicStealer"
51attack_types:
52  - "Malware/Ransomware"
53tactics_and_techniques:
54  - "Encryption"
55  - "Evasion"
56  - "Social engineering"
57detection_methods:
58  - "Archive analysis"
59  - "File analysis"
60  - "Sender analysis"
61  - "URL analysis"
62  - "YARA"
63id: "43af98d3-fa3e-5734-9f5b-61f07bc3eae1"

Related rules

to-top