The hypothesis is that the detection identifies potential Codoso APT activity involving the PGV PVID malware, which is associated with advanced persistent threats and may indicate lateral movement or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from sophisticated adversaries.
YARA Rule
rule Codoso_PGV_PVID_2
{
meta:
description = "Detects Codoso APT PGV PVID Malware"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash2 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
hash3 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
strings:
$s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii
$s1 = "regsvr32.exe /s \"%s\"" fullword ascii
$s2 = "Help and Support" fullword ascii
$s3 = "netsvcs" fullword ascii
$s9 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" fullword ascii /* Goodware String - occured 4 times */
$s10 = "winlogon" fullword ascii /* Goodware String - occured 4 times */
$s11 = "System\\CurrentControlSet\\Services" fullword ascii /* Goodware String - occured 11 times */
condition:
uint16(0) == 0x5a4d and filesize < 907KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Legitimate System Update via Windows Update
Description: A system update from Microsoft’s Windows Update service may trigger the rule due to the presence of a file or process name that matches the malware signature.
Filter/Exclusion: Check the Process-Parent field to ensure the parent process is svchost.exe or wuauclt.exe, and verify the file path is within a known Windows update directory (e.g., C:\Windows\SoftwareDistribution\).
Scenario: Scheduled Job for Database Backup
Description: A scheduled job running a database backup tool like sqlbackup.exe or mysqldump may be flagged due to similar process names or file hashes.
Filter/Exclusion: Filter by Process-Name to exclude known backup tools, and check the File-Path to ensure it is within a legitimate backup directory (e.g., C:\Backup\ or D:\SQLBackups\).
Scenario: Admin Task for Log File Rotation
Description: An administrator may use a script or tool like logrotate or PowerShell to rotate log files, which could trigger the rule if the script name or process is similar to the malware.
Filter/Exclusion: Filter by Process-Name to exclude powershell.exe or logrotate.exe, and check the File-Path to ensure it is within a system log directory (e.g., C:\Windows\System32\LogFiles\).
Scenario: Antivirus Quarantine Process
Description: An antivirus tool like Kaspersky, Bitdefender, or Malwarebytes may temporarily quarantine files, which could be flagged by the rule due to similar file names or hashes.
Filter/Exclusion: Check the `Process-Name