← Back to Explore
sublimehighRule
Link to auto-downloaded DMG in encrypted zip
A link in the body of the message downloads an encrypted zip that contains a DMG file. This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware. Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient.
Detection Query
type.inbound
and any(body.links,
any(ml.link_analysis(.).files_downloaded,
any(file.explode(.),
(
any(.flavors.yara, . == "encrypted_zip")
and any(.scan.zip.all_paths,
any([".dmg"], strings.ends_with(.., .))
)
)
)
)
)
and (
profile.by_sender().prevalence != "common"
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
- https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/
- https://www.virustotal.com/gui/file/38c907b0d7866bd73308535847f84b491a1adc39ab7cf0e06f3d535f0388560c/community
- https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates
Tags
Malfam: MetaStealerMalfam: AtomicStealer
Raw Content
name: "Link to auto-downloaded DMG in encrypted zip"
description: |
A link in the body of the message downloads an encrypted zip that contains a DMG file.
This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware.
Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient.
type: "rule"
references:
- "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/"
- "https://www.virustotal.com/gui/file/38c907b0d7866bd73308535847f84b491a1adc39ab7cf0e06f3d535f0388560c/community"
- "https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates"
severity: "high"
source: |
type.inbound
and any(body.links,
any(ml.link_analysis(.).files_downloaded,
any(file.explode(.),
(
any(.flavors.yara, . == "encrypted_zip")
and any(.scan.zip.all_paths,
any([".dmg"], strings.ends_with(.., .))
)
)
)
)
)
and (
profile.by_sender().prevalence != "common"
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
tags:
- "Malfam: MetaStealer"
- "Malfam: AtomicStealer"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Encryption"
- "Evasion"
- "Social engineering"
detection_methods:
- "Archive analysis"
- "File analysis"
- "Sender analysis"
- "URL analysis"
- "YARA"
id: "43af98d3-fa3e-5734-9f5b-61f07bc3eae1"