Detects Codoso APT PGV PVID Malware

Hunt Hypothesis

The hypothesis is that the detection identifies potential Codoso APT activity involving the PGV PVID malware, which is associated with advanced persistent threats and may indicate lateral movement or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT operations before they escalate.

YARA Rule

rule Codoso_PGV_PVID_5
{

    meta:
        description = "Detects Codoso APT PGV PVID Malware"
        author = "Florian Roth"
        reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
        date = "2016-01-30"
        super_rule = 1
        hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
        hash2 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"

    strings:
        $s1 = "/c del %s >> NUL" fullword ascii
        $s2 = "%s%s.manifest" fullword ascii

    condition:
        uint16(0) == 0x5a4d and filesize < 500KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update via Windows Update
  Description: A system update from Microsoft Windows Update may include files with similar hashes or behaviors to the malware.
  Filter/Exclusion: Check the process.parent_process field for svchost.exe or wuauclt.exe, and verify the process.name matches a known Windows Update component.

• Scenario: Scheduled Job for Data Backup
  Description: A scheduled backup job using tools like Veeam, Acronis, or rsync may execute scripts or binaries that resemble malicious activity.
  Filter/Exclusion: Filter by process.name containing “backup” or “rsync”, and check the process.parent_process for a known backup service or scheduler like task scheduler.

• Scenario: Admin Task Using PowerShell for System Monitoring
  Description: An administrator may use PowerShell scripts (e.g., PowerShell.exe) to monitor system performance or logs, which could trigger the rule due to similar command-line behavior.
  Filter/Exclusion: Filter by process.name containing “PowerShell” and check the process.command_line for known admin scripts or paths like C:\Windows\System32\.

• Scenario: Legitimate Use of Process Explorer or Process Hacker
  Description: Security tools like Process Explorer or Process Hacker may be used by administrators to inspect processes, which could match the rule’s behavior.
  Filter/Exclusion: Filter by process.name containing “Process Explorer” or “ProcessHacker”, and check the process.parent_process for a known admin tool or system process.

• Scenario: Antivirus or EDR Tool Scanning Activity
  Description: Antivirus or EDR tools (e.g., Microsoft Defender, CrowdStrike, SentinelOne) may perform