The Trojan Derusbi detection rule identifies potential adversary activity involving the execution of malicious payloads associated with the Derusbi malware family. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts by advanced persistent threats leveraging this malware.
YARA Rule
rule Trojan_Derusbi
{
meta:
Author = "RSA_IR"
Date = "4Sept13"
File = "derusbi_variants v 1.3"
MD5 = " c0d4c5b669cc5b51862db37e972d31ec "
strings:
$b1 = {8b 15 ?? ?? ?? ?? 8b ce d3 ea 83 c6 ?? 30 90 ?? ?? ?? ?? 40 3b 05 ?? ?? ?? ?? 72 ??}
$b2 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E F7 5D 88 2E 0C A2 88 2E 4B 5D 88 2E F3 5D 88 2E}
$b3 = {4E E6 40 BB}
$b4 = {B1 19 BF 44}
$b5 = {6A F5 44 3D ?? ?? 00 00 27 AF D4 3D 69 F5 44 3D 6E F5 44 3D 95 0A 44 3D D2 F5 44 3D 6A F5 44 3D}
$b6 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E}
$b7 = {D6 D5 A4 A3 ?? ?? 00 00 9B 8F 34 A3 D5 D5 A4 A3 D2 D5 A4 A3 29 2A A4 A3}
$b8 = {C3 76 33 9F ?? ?? 00 00 8E 2C A3 9F C0 76 33 9F C7 76 33 9F 3C 89 33 9F}
condition:
2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate software update.
Filter/Exclusion: Check for the presence of PowerShell in the process name and filter out processes initiated by the System or Administrators user group with known update scripts.
Scenario: A scheduled task is configured to run a legitimate script that mimics the behavior of the Trojan Derusbi, such as file encryption for testing purposes.
Filter/Exclusion: Exclude tasks that are scheduled via Task Scheduler and have a known legitimate script path, such as C:\Windows\System32\ or C:\Program Files\.
Scenario: A remote management tool like Microsoft Endpoint Manager (MEM) is performing a system scan or configuration push that triggers the YARA rule due to similar file patterns.
Filter/Exclusion: Exclude processes associated with Microsoft Endpoint Manager or Microsoft Intune by checking the process name or parent process.
Scenario: A backup job using Veeam Backup & Replication is copying files that match the YARA signature due to similar file structures.
Filter/Exclusion: Exclude processes related to Veeam by checking the process name or command line arguments containing Veeam.
Scenario: An IT support tool like LogMeIn or TeamViewer is being used to remotely access a system, and its internal components match the YARA signature.
Filter/Exclusion: Exclude processes associated with LogMeIn, TeamViewer, or other remote access tools by checking the process name or digital certificate.