Link to auto-downloaded disk image in encrypted zip

name: "Link to auto-downloaded disk image in encrypted zip"
description: |
  A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.
type: "rule"
references:
  - "https://twitter.com/pr0xylife/status/1592502966409654272"
  - "https://delivr.to/payloads?id=ca00292e-d5a2-43f9-b638-6c0b01b73353"
  - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
  - "https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/"
severity: "medium"
authors:
  - twitter: "ajpc500"
source: |
  type.inbound
  and any(body.links,
          any(ml.link_analysis(.).files_downloaded,
              any(file.explode(.),
                  (
                    any(.flavors.yara, . == "encrypted_zip")
                    and any(.scan.zip.all_paths,
                            any([".img", ".iso", ".vhd"],
                                strings.ends_with(.., .)
                            )
                    )
                  )
              )
          )
  )
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
tags:
  - "Malfam: QakBot"
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Encryption"
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Archive analysis"
  - "File analysis"
  - "Sender analysis"
  - "URL analysis"
  - "YARA"
id: "b50f0cb1-67b8-570c-9b34-0de08ff52508"