New rule - Link to auto-downloaded DMG in encrypted zip (#1062)

Co-authored-by: ID Generator <[email protected]>

detection-rules/link_download_dmg_in_encrypted_zip.yml

@@ -0,0 +1,50 @@
+name: "Link to auto-downloaded DMG in encrypted zip"
+description: |
+  A link in the body of the message downloads an encrypted zip that contains a DMG file.
+
+  This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware.
+
+  Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient.
+type: "rule"
+references:
+  - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/"
+  - "https://www.virustotal.com/gui/file/38c907b0d7866bd73308535847f84b491a1adc39ab7cf0e06f3d535f0388560c/community"
+  - "https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates"
+severity: "high"
+source: |
+  type.inbound
+  and any(body.links,
+          any(beta.linkanalysis(.).files_downloaded,
+              any(file.explode(.),
+                  (
+                    any(.flavors.yara, . == "encrypted_zip")
+                    and any(.scan.zip.all_paths,
+                            any([".dmg"], strings.ends_with(.., .))
+                    )
+                  )
+              )
+          )
+  )
+  and (
+    profile.by_sender().prevalence != "common"
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Malfam: MetaStealer"
+  - "Malfam: AtomicStealer"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Encryption"
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Sender analysis"
+  - "URL analysis"
+  - "YARA"
+id: "43af98d3-fa3e-5734-9f5b-61f07bc3eae1"