Detects Codoso APT CustomTCP Malware

Hunt Hypothesis

The hypothesis is that the detection identifies potential Codoso APT activity involving custom TCP-based malware, which may indicate covert data exfiltration or command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT operations that may evade traditional detection methods.

YARA Rule

rule Codoso_CustomTCP_4
{

    meta:
        description = "Detects Codoso APT CustomTCP Malware"
        author = "Florian Roth"
        reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
        date = "2016-01-30"
        hash1 = "ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0"
        hash2 = "130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8"
        hash3 = "3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa"
        hash4 = "02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13"

    strings:
        $x1 = "varus_service_x86.dll" fullword ascii
        $s1 = "/s %s /p %d /st %d /rt %d" fullword ascii
        $s2 = "net start %%1" fullword ascii
        $s3 = "ping 127.1 > nul" fullword ascii
        $s4 = "McInitMISPAlertEx" fullword ascii
        $s5 = "sc start %%1" fullword ascii
        $s6 = "net stop %%1" fullword ascii
        $s7 = "WorkerRun" fullword ascii

    condition:
        ( uint16(0) == 0x5a4d and filesize < 400KB and 5 of them ) or ( $x1 and 2 of ($s*) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled backup job using rsync over TCP
  Filter/Exclusion: process.name = rsync and destination.path contains /backup/

• Scenario: Admin performing remote system update via ssh with custom TCP port
  Filter/Exclusion: process.name = ssh and destination.port = 22 (or any standard SSH port)

• Scenario: Database replication using pg_basebackup over TCP
  Filter/Exclusion: process.name = pg_basebackup and destination.path contains /data/replica/

• Scenario: Internal monitoring tool using tcpdump for network analysis
  Filter/Exclusion: process.name = tcpdump and destination.ip contains 10.0.0.0/8

• Scenario: Custom application using netcat for internal service communication
  Filter/Exclusion: process.name = netcat and destination.port in (8080, 9090, 8081)