EXPLORE
Sign In
← Back to Explore
sublimehighRule

Malware: Pikabot delivery via URL auto-download

This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar.

MITRE ATT&CK

T1566.001T1204.002T1486T1036T1027
defense-evasion

Detection Query

type.inbound
and any(body.links,
        regex.imatch(.display_url.url, '.+\/[a-z0-9]+\/\?[0-9a-z]+')
)
and (
  any(body.links,
      .href_url.domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
      and not .href_url.domain.domain in ("drive.google.com", "github.com")
  )
  or any(body.links,
         any(ml.link_analysis(., mode="aggressive").files_downloaded,
             .file_extension in~ $file_extensions_common_archives
             and (
               any(file.explode(.),
                   .file_extension =~ "js"
                   or .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
               )
             )
         )
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Malfam: Pikabot
Raw Content
name: "Malware: Pikabot delivery via URL auto-download"
description: "This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(body.links,
          regex.imatch(.display_url.url, '.+\/[a-z0-9]+\/\?[0-9a-z]+')
  )
  and (
    any(body.links,
        .href_url.domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
        and not .href_url.domain.domain in ("drive.google.com", "github.com")
    )
    or any(body.links,
           any(ml.link_analysis(., mode="aggressive").files_downloaded,
               .file_extension in~ $file_extensions_common_archives
               and (
                 any(file.explode(.),
                     .file_extension =~ "js"
                     or .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
                 )
               )
           )
    )
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  and (
    not profile.by_sender().solicited
    or profile.by_sender().any_messages_malicious_or_spam
  )
tags:
  - "Malfam: Pikabot"
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Archive analysis"
  - "File analysis"
  - "Threat intelligence"
  - "URL analysis"
id: "f4be4572-82dc-5229-81ad-bd9fc9d6b673"