macOS malware: Compiled AppleScript with document double-extension

 1name: "macOS malware: Compiled AppleScript with document double-extension"
 2description: |
 3  Detects compiled AppleScript files (.scpt) with document double-extensions (e.g., .docx.scpt, .pdf.scpt)
 4  commonly used in DPRK-attributed macOS malware campaigns. These files open in Script Editor when
 5  double-clicked and use social engineering (fake compatibility errors) to trick users into executing
 6  malicious reconnaissance scripts that fetch subsequent payload stages.  
 7references: 
 8  - "https://delivr.to/payloads?id=9fd3974a-b764-4011-b3ea-f4eeb993aa5b"
 9type: "rule"
10severity: "high"
11source: |
12  type.inbound
13  
14  // attachment with .scpt extension (compiled AppleScript)
15  and any(attachments,
16          .file_extension == "scpt"
17          // double extension pattern: common document extensions followed by .scpt
18          and regex.icontains(.file_name,
19                              '\.(doc|docx|pdf|xls|xlsx|ppt|pptx|txt|rtf)\.scpt$'
20          )
21          // ensure it's actually a binary/script file, not just renamed
22          // compiled AppleScript files are binary and have minimum size
23          and (.file_type == "unknown" or .file_type == "exe")
24          // compiled .scpt files are binary, should have reasonable size
25          and .size > 1000
26  )
27  
28  // negate highly trusted sender domains unless they fail DMARC authentication
29  and (
30    (
31      sender.email.domain.root_domain in $high_trust_sender_root_domains
32      and not headers.auth_summary.dmarc.pass
33    )
34    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
35  )  
36tags:
37  - "Attack surface reduction"
38
39attack_types:
40  - "Malware/Ransomware"
41tactics_and_techniques:
42  - "Evasion"
43  - "Social engineering"
44detection_methods:
45  - "File analysis"
46  - "Header analysis"
47id: "9669c169-57fe-5d80-865a-5e66eccfb658"