Recently while reviewing information stealer malware distributed by malvertizing I noticied that there were multiple instances of zip archives with languge pack strings from bandizip, a archive compression tool.
Here is the Yara rule that I created for detecting zip archives containing a executable file and the bandizip strings refrences:
rule zip_with_exe_langpack {
meta:
author = "Colin Cowie"
description = "Detects zip archives with a compressed exe and a language pack"
strings:
$exe = ".exe"
$langs = "langs/"
$ini = ".ini"
condition:
uint32(0) == 0x04034b50
and all of them
and #ini > 6
}
This rule did return quite a few non-suspicous files. It did also however find a variety of different InfoStealers including:
Raccoon Stealer v2:
- Zoom.zip
- 17b0528c0ac7fd49f2a941e581d1300b9258fc63
- Pass_1234_Setup.zip
- f111a5aa46a7a84dbe579936ae1eb8d914fc65f2
Redline Stealer:
- TradingView (Pro+) Desktop.zip
- 05eca8ce9a0cc2e5f00b267618e4aed3c5c897af
- OBS-Studio-28.1.2-Full-Installer-x64.zip
- 44c7ac23d985c78262771bad3b86c8912793f71b
Formbook:
- Google Maps (1).zip
- 1504d2e74d52f14925b87ac9f47cf079ed408493