Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo

Hunt Hypothesis

The detection identifies potential Casper French Espionage Malware activity through a string match in a file, indicating possible adversary data exfiltration or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate espionage-related threats early in the attack lifecycle.

YARA Rule

rule Casper_Included_Strings
{

    meta:
        description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
        author = "Florian Roth"
        reference = "http://goo.gl/VRJNLo"
        date = "2015/03/06"
        score = 50

    strings:
        $a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
        $a1 = "& SYSTEMINFO) ELSE EXIT"
        $mz = { 4d 5a }
        $c1 = "domcommon.exe" wide fullword                         // File Name
        $c2 = "jpic.gov.sy" fullword                                // C2 Server
        $c3 = "aiomgr.exe" wide fullword                            // File Name
        $c4 = "perfaudio.dat" fullword                              // Temp File Name
        $c5 = "Casper_DLL.dll" fullword                             // Name
        $c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 }   // Decryption Key
        $c7 = "{4216567A-4512-9825-7745F856}" fullword              // Mutex

    condition:
        all of ($a*) or ( $mz at 0 ) and ( 1 of ($c*) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

References

• http://goo.gl/VRJNLo
• Source Rule

False Positive Guidance

• Scenario: Legitimate software update from Casper French (a real company, not the malware)
  Filter/Exclusion: Check the file hash against a known good hash of the Casper French software update. Use a filter like:

  file.hash.md5 == "known_good_hash"

• Scenario: Admin manually downloading a file containing the URL for configuration or documentation purposes
  Filter/Exclusion: Exclude files downloaded by admin accounts during specific time windows or from known internal repositories. Use:

  user.name == "admin" && event.time >= "2024-01-01T00:00:00" && event.time <= "2024-01-31T23:59:59"

• Scenario: Scheduled job running a script that includes the URL for API testing or integration
  Filter/Exclusion: Exclude files associated with scheduled jobs that are known to be part of development or testing environments. Use:

  process.name == "scheduled_job_script.sh" && process.parent.name == "cron"

• Scenario: Use of a legitimate tool that includes the URL in its documentation or help files
  Filter/Exclusion: Exclude files that are part of documentation or help files for tools like curl, wget, or nslookup. Use:

  file.name contains "help" || file.name contains "doc" || file.name contains "manual"

• Scenario: False positive from a third-party tool that includes the URL in its configuration or logging
  Filter/Exclusion: Exclude files generated by third-party tools like Wireshark, tcpdump, or Logstash that may include URLs in logs. Use:

  process.name contains