The hypothesis is that the detection identifies potential Codoso APT activity through custom TCP-based malware communication, which may indicate covert data exfiltration or command and control interactions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT compromises that may evade traditional detection methods.
YARA Rule
rule Codoso_CustomTCP_3
{
meta:
description = "Detects Codoso APT CustomTCP Malware"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "d66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090"
strings:
$s1 = "DnsApi.dll" fullword ascii
$s2 = "softWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%s" ascii
$s3 = "CONNECT %s:%d hTTP/1.1" ascii
$s4 = "CONNECT %s:%d HTTp/1.1" ascii
$s5 = "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)" ascii
$s6 = "iphlpapi.dll" ascii
$s7 = "%systemroot%\\Web\\" ascii
$s8 = "Proxy-Authorization: Negotiate %s" ascii
$s9 = "CLSID\\{%s}\\InprocServer32" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and 5 of them ) or 7 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a Windows Task Scheduler job that uses a custom TCP connection to update system files or perform disk cleanup.
Filter/Exclusion: Exclude connections initiated by known system maintenance tasks (e.g., schtasks.exe, Task Scheduler), or filter by source IP if the task is known to connect from a trusted internal IP.
Scenario: Admin Remote Management via Custom TCP
Description: An administrator using a custom TCP-based remote management tool (e.g., PsExec, RDP, or a custom in-house remote access tool) to manage endpoints.
Filter/Exclusion: Exclude traffic from known admin accounts or IP ranges used for remote management. Use process name or user context to filter out legitimate admin activities.
Scenario: Database Backup via Custom TCP
Description: A database backup process using a custom TCP connection to transfer data to a backup server (e.g., using a proprietary backup tool or a custom script).
Filter/Exclusion: Exclude traffic from known backup processes (e.g., sqlbackup.exe, mysqldump, or custom scripts with known names), or filter by destination IP if the backup server is known.
Scenario: Internal Monitoring Tool Communication
Description: A legitimate internal monitoring tool (e.g., Nagios, Zabbix, or Prometheus) using a custom TCP protocol to communicate with monitored hosts.
Filter/Exclusion: Exclude traffic from known monitoring tools by process name or by source/destination IP ranges used by the monitoring infrastructure.
Scenario: Software Update via Custom TCP
Description: A software update process using a custom TCP connection to download updates from an internal repository (e.g., using a custom update client or a proprietary tool).
*Filter/Exclusion