The hypothesis is that the detection identifies a potential ROKRAT malware loader being executed, indicating an adversary may be establishing a foothold in the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage malware activity and prevent further compromise.
YARA Rule
rule ROKRAT_loader : TAU DPRK APT
{
meta:
author = "CarbonBlack Threat Research" //JMyers
date = "2018-Jan-11"
description = "Designed to catch loader observed used with ROKRAT malware"
reference = "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/"
rule_version = 1
yara_version = "3.7.0"
TLP = "White"
exemplar_hashes = "e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd"
strings:
$n1 = "wscript.exe"
$n2 = "cmd.exe"
$s1 = "CreateProcess"
$s2 = "VirtualAlloc"
$s3 = "WriteProcessMemory"
$s4 = "CreateRemoteThread"
$s5 = "LoadResource"
$s6 = "FindResource"
$b1 = {33 C9 33 C0 E8 00 00 00 00 5E} //Clear Register, call+5, pop ESI
$b2 = /\xB9.{3}\x00\x81\xE9?.{3}\x00/ //subtraction for encoded data offset
//the above regex could slow down scanning
$b3 = {03 F1 83 C6 02} //Fix up position
$b4 = {3E 8A 06 34 90 46} //XOR decode Key
$b5 = {3E 30 06 46 49 83 F9 00 75 F6} //XOR routine and jmp to code
//push api hash values plain text
$hpt_1 = {68 EC 97 03 0C} //api name hash value – Global Alloc
$hpt_2 = {68 54 CA AF 91} //api name hash value – Virtual Alloc
$hpt_3 = {68 8E 4E 0E EC} //api name hash value – Load Library
$hpt_4 = {68 AA FC 0D 7C} //api name hash value – GetProc Addr
$hpt_5 = {68 1B C6 46 79} //api name hash value – Virtual Protect
$hpt_6 = {68 F6 22 B9 7C} //api name hash value – Global Free
//push api hash values encoded XOR 0x13
$henc_1 = {7B FF 84 10 1F} //api name hash value – Global Alloc
$henc_2 = {7B 47 D9 BC 82} //api name hash value – Virtual Alloc
$henc_3 = {7B 9D 5D 1D EC} //api name hash value – Load Library
$henc_4 = {7B B9 EF 1E 6F} //api name hash value – GetProc Addr
$henc_5 = {7B 08 D5 55 6A} //api name hash value – Virtual Protect
$henc_6 = {7B E5 31 AA 6F} //api name hash value – Global Free
condition:
(1 of ($n*) and 4 of ($s*) and 4 of ($b*)) or all of ($hpt*) or all of ($henc*)
}This YARA rule can be deployed in the following contexts:
This rule contains 25 string patterns in its detection logic.
Scenario: A system administrator uses the PowerShell command Invoke-Command to remotely execute a script on a managed server for routine maintenance.
Filter/Exclusion: Exclude processes initiated by user accounts with elevated privileges (e.g., Administrators group) or those associated with known administrative tools like PowerShell Remoting or WSUS.
Scenario: A scheduled job runs Task Scheduler to execute a legitimate script that mimics loader behavior, such as downloading a file from a trusted internal repository.
Filter/Exclusion: Exclude tasks that are scheduled via Task Scheduler and have a known, legitimate command-line argument or script path.
Scenario: A security tool like Microsoft Defender ATP performs a memory dump or analysis of a process, which may include loader-like code in memory.
Filter/Exclusion: Exclude processes associated with Microsoft Defender, Windows Security Center, or Windows Defender components.
Scenario: A developer uses Visual Studio or dotNet CLI to build a .NET application, which may include a loader-like component in the build process.
Filter/Exclusion: Exclude processes initiated by development tools such as Visual Studio, dotNet CLI, or MSBuild.
Scenario: A system uses Windows Task Scheduler to run a legitimate loader for a software update, such as a patching tool like SCCM (System Center Configuration Manager).
Filter/Exclusion: Exclude processes that are part of known patching or update mechanisms, such as SCCM, Windows Update, or WSUS.