Malware: Pikabot delivery via URL auto-download
This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar.
Sublime rule (View on GitHub)
1name: "Malware: Pikabot delivery via URL auto-download"
2description: "This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(body.links,
8 regex.imatch(.display_url.url, '.+\/[a-z0-9]+\/\?[0-9a-z]+')
9 )
10 and (
11 any(body.links,
12 .href_url.domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
13 and not .href_url.domain.domain in ("drive.google.com", "github.com")
14 )
15 or any(body.links,
16 any(ml.link_analysis(., mode="aggressive").files_downloaded,
17 .file_extension in~ $file_extensions_common_archives
18 and (
19 any(file.explode(.),
20 .file_extension =~ "js"
21 or .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
22 )
23 )
24 )
25 )
26 )
27
28 // negate highly trusted sender domains unless they fail DMARC authentication
29 and (
30 (
31 sender.email.domain.root_domain in $high_trust_sender_root_domains
32 and not headers.auth_summary.dmarc.pass
33 )
34 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
35 )
36 and (
37 not profile.by_sender().solicited
38 or profile.by_sender().any_messages_malicious_or_spam
39 )
40tags:
41 - "Malfam: Pikabot"
42attack_types:
43 - "Malware/Ransomware"
44tactics_and_techniques:
45 - "Evasion"
46detection_methods:
47 - "Archive analysis"
48 - "File analysis"
49 - "Threat intelligence"
50 - "URL analysis"
51id: "f4be4572-82dc-5229-81ad-bd9fc9d6b673"