High Severity
Link to auto-downloaded DMG in encrypted zip
Description
A link in the body of the message downloads an encrypted zip that contains a DMG file.
This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware.
Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient.
References
- https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/
- https://www.virustotal.com/gui/file/38c907b0d7866bd73308535847f84b491a1adc39ab7cf0e06f3d535f0388560c/community
- https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates
Sublime Security
Created Nov 30th, 2023 • Last updated Apr 25th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(body.links,
any(ml.link_analysis(.).files_downloaded,
any(file.explode(.),
(
any(.flavors.yara, . == "encrypted_zip")
and any(.scan.zip.all_paths,
any([".dmg"], strings.ends_with(.., .))
)
)
)
)
)
and (
profile.by_sender().prevalence != "common"
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.