EXPLORE
Sign In
← Back to Explore
sublimehighRule

Attachment: Double base64-encoded zip file in HTML smuggling attachment

Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.

MITRE ATT&CK

T1566.001T1204.002T1486T1566T1566.002T1598T1036T1027T1059
defense-evasionexecution

Detection Query

type.inbound
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and any(attachments,
        .file_extension in ("html", "htm")
        and any(file.explode(.),
                any(.scan.strings.strings,
                    strings.ilike(.,
                                  // Double Base64 encoded zips
                                  "*VUVzREJCUUFBUUFJQ*",
                                  "*VFc0RCQlFBQVFBSU*",
                                  "*VRXNEQkJRQUFRQUlB*",
                                  // Reversed base64 strings double encoded zips
                                  "*QJFUUBFUUCJERzVUV*",
                                  "*USBFVQBFlQCR0cFV*",
                                  "*BlUQRFUQRJkQENXRV*"
                    )
                )
        )
)

Author

ajpc500

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Tags

Malfam: QakBot
Raw Content
name: "Attachment: Double base64-encoded zip file in HTML smuggling attachment"
description: |
  Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
references:
  - "https://twitter.com/pr0xylife/status/1593325734004768770"
  - "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_qbot_payloads.yar"
  - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9"
  - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
type: "rule"
severity: "high"
authors:
  - twitter: "ajpc500"
source: |
  type.inbound
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and any(attachments,
          .file_extension in ("html", "htm")
          and any(file.explode(.),
                  any(.scan.strings.strings,
                      strings.ilike(.,
                                    // Double Base64 encoded zips
                                    "*VUVzREJCUUFBUUFJQ*",
                                    "*VFc0RCQlFBQVFBSU*",
                                    "*VRXNEQkJRQUFRQUlB*",
                                    // Reversed base64 strings double encoded zips
                                    "*QJFUUBFUUCJERzVUV*",
                                    "*USBFVQBFlQCR0cFV*",
                                    "*BlUQRFUQRJkQENXRV*"
                      )
                  )
          )
  )
tags:
  - "Malfam: QakBot"
attack_types:
  - "Malware/Ransomware"
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "HTML smuggling"
  - "Scripting"
detection_methods:
  - "Archive analysis"
  - "Content analysis"
  - "File analysis"
  - "HTML analysis"
  - "Sender analysis"
id: "61ebb07b-264e-59fb-a82c-d91957991081"