Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious

Hunt Hypothesis

Executables signed with certificates previously associated with the Derusbi Trojan may indicate malicious activity leveraging trusted code signing to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential supply chain attacks and mitigate advanced persistent threats.

YARA Rule

rule Derusbi_Code_Signing_Cert
{

    meta:
        description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
        author = "Florian Roth"
        reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
        date = "2015-12-15"
        score = 40

   strings:
      $s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii
      $s2 = "XL Games Co.,Ltd.0" fullword ascii
      $s3 = "Wemade Entertainment co.,Ltd0" fullword ascii

   condition:
      uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
• Source Rule

False Positive Guidance

• Scenario: A system administrator uses PowerShell to deploy a legitimate update script that is signed with a certificate previously associated with the Derusbi Trojan.
  Filter/Exclusion: Exclude processes initiated by powershell.exe with the -File parameter pointing to a known internal update script path, e.g., C:\Scripts\update.ps1.

• Scenario: A scheduled task runs a legitimate maintenance script that is signed with a certificate previously linked to the Derusbi Trojan.
  Filter/Exclusion: Exclude processes launched by schtasks.exe or with a task name matching internal maintenance tasks, e.g., TaskName = "MonthlySystemCheck".

• Scenario: A Windows Update installation process signs an executable with a certificate that was previously used by the Derusbi Trojan.
  Filter/Exclusion: Exclude processes with ImageFileName = "wusa.exe" or ImageFileName = "setup.exe" associated with Microsoft-signed updates.

• Scenario: A third-party tool like Microsoft Endpoint Configuration Manager (MECM) deploys a legitimate application that uses a certificate previously associated with the Derusbi Trojan.
  Filter/Exclusion: Exclude processes launched by ccmexec.exe or with a known MECM deployment path, e.g., C:\Windows\System32\ccm\ccmexec.exe.

• Scenario: A system backup tool such as Veeam Backup & Replication runs a backup job that includes an executable signed with a certificate previously linked to the Derusbi Trojan.
  Filter/Exclusion: Exclude processes with ImageFileName = "veeam.exe" or with a command line containing backup or snapshot keywords.