High Severity

Attachment: Archive with embedded EXE file

Labels

Malware/Ransomware

Evasion

Archive analysis

File analysis

YARA

Description

Recursively scans files and archives to detect embedded EXE files (with an MZ header).

According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an attack that used this technique to the "special services of the Russian Federation".

The spear-phishing operation urged recipients to download a RAR archive included in the email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe) that tried to pass as a PDF file.

References

https://therecord.media/ukraine-warns-of-massive-russian-spear-phishing-campaign/

Sublime Security

Created Aug 17th, 2023 • Last updated Feb 27th, 2024

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_extension in~ $file_extensions_common_archives
          or .file_type == "rar"
        )
        and any(file.explode(.),
                // the YARA scanner alone can be a bit unreliable,
                // it's matched on MZ strings in a text file before
                any(.flavors.yara, . == "mz_file")
                and strings.starts_with(.flavors.mime, "application")
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.