High Severity

Malware: Pikabot delivery via URL auto-download

Labels

Malware/Ransomware

Evasion

Description

This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar.

References

No references.

Sublime Security

Created Dec 19th, 2023 • Last updated Apr 25th, 2024

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.links,
        regex.imatch(.display_url.url, '.+\/[a-z0-9]+\/\?[0-9a-z]+')
)
and (
  any(body.links,
      .href_url.domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
      and not .href_url.domain.domain in ("drive.google.com", "github.com")
  )
  or any(body.links,
         any(ml.link_analysis(., mode="aggressive").files_downloaded,
             .file_extension in~ $file_extensions_common_archives
             and (
               any(file.explode(.),
                   .file_extension =~ "js"
                   or .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
               )
             )
         )
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.