High Severity

Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment

Labels

Description

Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.

References

https://twitter.com/pr0xylife/status/1593325734004768770

https://github.com/Neo23x0/signature-base/blob/master/yara/mal_qbot_payloads.yar

https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9

https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7

@ajpc500

Created Aug 17th, 2023 • Last updated Oct 4th, 2023

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
and any(attachments,
        .file_extension in ("html", "htm")
        and any(file.explode(.),
                any(.scan.strings.strings,
                    strings.ilike(.,
                                  // Double Base64 encoded zips
                                  "*VUVzREJCUUFBUUFJQ*",
                                  "*VFc0RCQlFBQVFBSU*",
                                  "*VRXNEQkJRQUFRQUlB*",
                                  // Reversed base64 strings double encoded zips
                                  "*QJFUUBFUUCJERzVUV*",
                                  "*USBFVQBFlQCR0cFV*",
                                  "*BlUQRFUQRJkQENXRV*"
                    )
                )
        )
)

MQL Console

•

View MQL Guide

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.