The hypothesis is that the presence of the sqlsrv32.dll file associated with the Trojan.Kakfum malware indicates potential lateral movement or persistence by the Deep Panda group within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by advanced persistent threats.
YARA Rule
rule Anthem_DeepPanda_Trojan_Kakfum
{
meta:
description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
author = "Florian Roth"
date = "2015/02/08"
hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
strings:
$s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
$s1 = "%s\\sqlsrv32.dll" fullword ascii
$s2 = "%s\\sqlsrv64.dll" fullword ascii
$s3 = "%s\\%d.tmp" fullword ascii
$s4 = "ServiceMaix" fullword ascii
$s15 = "sqlserver" fullword ascii
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled SQL Server Maintenance Job
Description: A legitimate SQL Server maintenance job (e.g., SQLServerMaintenanceJob.exe) is running and is using sqlsrv32.dll as part of its operation.
Filter/Exclusion: Check for the presence of sqlsrv32.dll in known SQL Server directories (e.g., C:\Program Files\Microsoft SQL Server) and filter out processes that match known SQL Server service names or job schedules.
Scenario: Microsoft SQL Server Service Startup
Description: The SQL Server service (sqlservr.exe) is starting up and loading sqlsrv32.dll as part of its initialization process.
Filter/Exclusion: Exclude processes that are associated with the SQL Server service (e.g., sqlservr.exe) and check for the presence of sqlsrv32.dll in the SQL Server installation directory.
Scenario: Admin Task Using SQL Server Tools
Description: An administrator is using a legitimate tool like sqlcmd.exe or osql.exe to run SQL queries, which may load sqlsrv32.dll in the process.
Filter/Exclusion: Filter processes that are initiated by user accounts with administrative privileges and check for known SQL command-line tools in their execution path.
Scenario: Third-Party Database Tool Integration
Description: A third-party database tool (e.g., Toad, DBeaver, or SQL Developer) is being used and may load sqlsrv32.dll as part of its integration with SQL Server.
Filter/Exclusion: Exclude processes associated with known third-party database tools and verify the execution path against known tool directories.
Scenario: Antivirus or Endpoint Protection Scan
Description: An endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or Symant