-
Notifications
You must be signed in to change notification settings - Fork 6
/
attachment_html_smuggling_zip_with_evasion.yml
51 lines (45 loc) · 1.79 KB
/
attachment_html_smuggling_zip_with_evasion.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
name: "Attachment: HTML Smuggling of Zip File with Evasion Indicators (Unsolicited)"
description: |
A unsolicited attachment with a HTML file format, sent by a first time sender or known-bad source, that includes a Base64-encoded ZIP file header, as well as indicators of evasion in JavaScript (including decoding function and array push/shift manipulation). Leveraged for delivery of Bumblebee malware.
type: "rule"
severity: "high"
authors:
- twitter: "delivr_to"
references:
- https://delivr.to/payloads?id=37541776-bc8e-4af7-a54e-de97052ec092
- https://twitter.com/0xtoxin/status/1722915203040354656
source: |
type.inbound
and (
(
not profile.by_sender_email().solicited
and profile.by_sender_email().prevalence in ("new", "outlier")
)
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_false_positives
)
or sender.email.domain.domain == "delivrto.me"
)
and any(attachments,
// HTML file format
(
regex.imatch(.file_extension, '^[sdx]{0,1}ht[ml]{0,2}') or
.file_type == "html"
)
and any(file.explode(.),
any(.flavors.yara, . == "javascript_file") and
// High entropy JavaScript
.scan.entropy.entropy > 5 and
// Array manipulation and evasion indicators
all(["push", "shift", "atob"], . in ..scan.javascript.strings) and
// Smuggling Indicators
all(["octet/stream", "revokeObjectURL", "appendChild", "URL", "click"], . in~ ..scan.javascript.strings) and
// ZIP B64 File Header
any(.scan.javascript.strings, strings.istarts_with(., "UEsDBB"))
)
)
tags:
- "Suspicious Attachment"
- "Brand Impersonation"
- "Bumblebee"