The hypothesis is that the detection rule identifies potential adversary behavior associated with APT15 group activity, specifically targeting infrastructure linked to the bs2005 campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromises and disrupt advanced persistent threats before they escalate.
YARA Rule
rule malware_apt15_bs2005{
meta:
author = "Ahmed Zaki"
md5 = "ed21ce2beee56f0a0b1c5a62a80c128b"
description = "APT15 bs2005"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
strings:
$ = "%s&%s&%s&%s" wide ascii
$ = "%s\\%s" wide ascii
$ = "WarOnPostRedirect" wide ascii fullword
$ = "WarnonZoneCrossing" wide ascii fullword
$ = "^^^^^" wide ascii fullword
/*
"%s" /C "%s > "%s\tmp.txt" 2>&1 "
*/
$ = /"?%s\s*"?\s*\/C\s*"?%s\s*>\s*\\?"?%s\\(\w+\.\w+)?"\s*2>&1\s*"?/
$ ="IEharden" wide ascii fullword
$ ="DEPOff" wide ascii fullword
$ ="ShownVerifyBalloon" wide ascii fullword
$ ="IEHardenIENoWarn" wide ascii fullword
condition:
(uint16(0) == 0x5A4D and 5 of them) or
( uint16(0) == 0x5A4D and 3 of them and
( pe.imports("advapi32.dll", "CryptDecrypt") and pe.imports("advapi32.dll", "CryptEncrypt") and
pe.imports("ole32.dll", "CoCreateInstance")))}
rule malware_apt15_royaldll{
meta:
author = "David Cannings"
description = "DLL implant, originally rights.dll and runs as a service"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
strings:
/*
56 push esi
B8 A7 C6 67 4E mov eax, 4E67C6A7h
83 C1 02 add ecx, 2
BA 04 00 00 00 mov edx, 4
57 push edi
90 nop
*/
// JSHash implementation (Justin Sobel's hash algorithm)
$opcodes_jshash = { B8 A7 C6 67 4E 83 C1 02 BA 04 00 00 00 57 90 }
/*
0F B6 1C 03 movzx ebx, byte ptr [ebx+eax]
8B 55 08 mov edx, [ebp+arg_0]
30 1C 17 xor [edi+edx], bl
47 inc edi
3B 7D 0C cmp edi, [ebp+arg_4]
72 A4 jb short loc_10003F31
*/
// Encode loop, used to "encrypt" data before DNS request
$opcodes_encode = { 0F B6 1C 03 8B 55 08 30 1C 17 47 3B 7D 0C }
/*
68 88 13 00 00 push 5000 # Also seen 3000, included below
FF D6 call esi ; Sleep
4F dec edi
75 F6 jnz short loc_10001554
*/
// Sleep loop
$opcodes_sleep_loop = { 68 (88|B8) (13|0B) 00 00 FF D6 4F 75 F6 }
// Generic strings
$ = "Nwsapagent" fullword
$ = "\"%s\">>\"%s\"\\s.txt"
$ = "myWObject" fullword
$ = "del c:\\windows\\temp\\r.exe /f /q"
$ = "del c:\\windows\\temp\\r.ini /f /q"
condition:
3 of them
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vbm" AND process.name != "vbackup"
Scenario: Admin performing a Windows Update via Group Policy
Filter/Exclusion: process.name != "wuauclt" AND process.name != "gupdate"
Scenario: Database maintenance task using SQL Server Agent Job
Filter/Exclusion: process.name != "sqlservr" AND process.name != "sqlagent"
Scenario: User running PowerShell script for log cleanup or report generation
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE "*Cleanup*" AND process.args NOT LIKE "*Report*"
Scenario: IT team deploying Microsoft Endpoint Configuration Manager (MECM) updates
Filter/Exclusion: process.name != "ccmexec" AND process.name != "mpcmdrun"