Malware: Pikabot delivery via URL auto-download

This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar.

Sublime rule (View on GitHub)

 1name: "Malware: Pikabot delivery via URL auto-download"
 2description: "This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links, regex.imatch(.display_url.url, '.+\/[a-z0-9]+\/\?[0-9a-z]+'))
 8  and (
 9    any(body.links,
10        .href_url.domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
11    )
12    or any(body.links,
13           any(beta.linkanalysis(., mode="aggressive").files_downloaded,
14               .file_extension in~ $file_extensions_common_archives
15               and (
16                 any(file.explode(.),
17                     .file_extension =~ "js"
18                     or .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
19                 )
20               )
21           )
22    )
23  )
24  
25  // negate highly trusted sender domains unless they fail DMARC authentication
26  and (
27    (
28      sender.email.domain.root_domain in $high_trust_sender_root_domains
29      and (
30        any(distinct(headers.hops, .authentication_results.dmarc is not null),
31            strings.ilike(.authentication_results.dmarc, "*fail")
32        )
33      )
34    )
35    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36  )
37
38  and (
39    not profile.by_sender().solicited
40    or profile.by_sender().any_messages_malicious_or_spam
41  )  
42tags:
43  - "Malfam: Pikabot"
44attack_types:
45  - "Malware/Ransomware"
46tactics_and_techniques:
47  - "Evasion"
48detection_methods:
49  - "Archive analysis"
50  - "File analysis"
51  - "Threat intelligence"
52  - "URL analysis"
53id: "f4be4572-82dc-5229-81ad-bd9fc9d6b673"

Related rules

to-top