From 740522d7c243e4879e9f7ffbf9d7ec4226e8f38b Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Wed, 29 Nov 2023 23:44:19 -0500 Subject: [PATCH] New rule - Link to auto-downloaded DMG in encrypted zip (#1062) Co-authored-by: ID Generator --- .../link_download_dmg_in_encrypted_zip.yml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 detection-rules/link_download_dmg_in_encrypted_zip.yml diff --git a/detection-rules/link_download_dmg_in_encrypted_zip.yml b/detection-rules/link_download_dmg_in_encrypted_zip.yml new file mode 100644 index 00000000000..7b425a7aa24 --- /dev/null +++ b/detection-rules/link_download_dmg_in_encrypted_zip.yml @@ -0,0 +1,50 @@ +name: "Link to auto-downloaded DMG in encrypted zip" +description: | + A link in the body of the message downloads an encrypted zip that contains a DMG file. + + This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware. + + Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient. +type: "rule" +references: + - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/" + - "https://www.virustotal.com/gui/file/38c907b0d7866bd73308535847f84b491a1adc39ab7cf0e06f3d535f0388560c/community" + - "https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates" +severity: "high" +source: | + type.inbound + and any(body.links, + any(beta.linkanalysis(.).files_downloaded, + any(file.explode(.), + ( + any(.flavors.yara, . == "encrypted_zip") + and any(.scan.zip.all_paths, + any([".dmg"], strings.ends_with(.., .)) + ) + ) + ) + ) + ) + and ( + profile.by_sender().prevalence != "common" + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) +tags: + - "Malfam: MetaStealer" + - "Malfam: AtomicStealer" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Evasion" + - "Social engineering" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Sender analysis" + - "URL analysis" + - "YARA" +id: "43af98d3-fa3e-5734-9f5b-61f07bc3eae1"