High Severity

Attachment: HTML Smuggling of Zip File with Evasion Indicators (Unsolicited)

Labels

No labels.

Description

A unsolicited attachment with a HTML file format, sent by a first time sender or known-bad source, that includes a Base64-encoded ZIP file header, as well as indicators of evasion in JavaScript (including decoding function and array push/shift manipulation). Leveraged for delivery of Bumblebee malware.

References

https://delivr.to/payloads?id=37541776-bc8e-4af7-a54e-de97052ec092

https://twitter.com/0xtoxin/status/1722915203040354656

@delivr_to

Created Nov 10th, 2023 • Last updated Apr 22nd, 2024

Feed Source

delivr.to Feed

Source

GitHub

type.inbound

and (
    (
        not profile.by_sender_email().solicited
        and profile.by_sender_email().prevalence in ("new", "outlier")
    )
    or (
        profile.by_sender_email().any_messages_malicious_or_spam
        and not profile.by_sender_email().any_false_positives
    )
    or sender.email.domain.domain == "delivrto.me"
)

and any(attachments,
    // HTML file format
    (
        regex.imatch(.file_extension, '^[sdx]{0,1}ht[ml]{0,2}') or 
        .file_type == "html"
    )
    and any(file.explode(.),
        any(.flavors.yara, . == "javascript_file") and 
        
        // High entropy JavaScript
        .scan.entropy.entropy > 5 and 
        
        // Array manipulation and evasion indicators
        all(["push", "shift", "atob"], . in ..scan.javascript.strings) and 

        // Smuggling Indicators
        all(["octet/stream", "revokeObjectURL", "appendChild", "URL", "click"], . in~ ..scan.javascript.strings) and

        // ZIP B64 File Header
        any(.scan.javascript.strings, strings.istarts_with(., "UEsDBB"))
    )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.