The hypothesis is that the detection identifies potential Gh0st malware activity associated with the Codoso APT, leveraging unusual process behavior and network communication patterns indicative of adversarial persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Codoso APT compromises before significant damage occurs.
YARA Rule
rule Codoso_Gh0st_2
{
meta:
description = "Detects Codoso APT Gh0st Malware"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841"
strings:
$s0 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii
$s1 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii
$s13 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide
$s14 = "%s -r debug 1" fullword ascii
$s15 = "\\\\.\\keymmdrv1" fullword ascii
$s17 = "RunMeByDLL32" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Legitimate system update using Microsoft Update
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "msiexec.exe"
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: process.name != "veeam.exe" or process.name != "vmbackup.exe"
Scenario: Admin performing a disk cleanup using Disk Cleanup tool
Filter/Exclusion: process.name != "cleanmgr.exe" or process.name != "dism.exe"
Scenario: IT staff running a PowerShell script for log rotation
Filter/Exclusion: process.name != "powershell.exe" or script.name != "logrotate.ps1"
Scenario: User launching a legitimate remote desktop connection
Filter/Exclusion: process.name != "mstsc.exe" or process.name != "rdpclip.exe"