APT malware used to drop PcClient RAT

Hunt Hypothesis

The detection identifies potential APT malware activity where an adversary may be dropping the PcClient RAT to establish persistent remote access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent lateral movement and data exfiltration.

YARA Rule

rule apt_c16_win64_dropper
{

    meta:
        author = "@dragonthreatlab"
        date = "2015/01/11"
        description = "APT malware used to drop PcClient RAT"
        reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"

    strings:
        $mz = { 4D 5A }
        $str1 = "clbcaiq.dll" ascii
        $str2 = "profapi_104" ascii
        $str3 = "\\Microsoft\\wuauclt\\wuauclt.dat" ascii
        $str4 = { 0F B6 0A 48 FF C2 80 E9 03 80 F1 03 49 FF C8 88 4A FF 75 EC }

    condition:
        $mz at 0 and all of ($str*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that includes a file matching the YARA rule due to similar string patterns.
  Filter/Exclusion: Check for CommandLine containing schtasks.exe or Task Scheduler and exclude files with C:\Windows\Tasks\ in the path.

• Scenario: Admin Tool for Remote Management
  Description: The tool PsExec or Remote Desktop Services may generate similar artifacts when executing remote commands.
  Filter/Exclusion: Exclude processes with PsExec.exe or mstsc.exe in the command line, or filter by ProcessName containing these tools.

• Scenario: Software Update Deployment
  Description: A legitimate software update (e.g., from Microsoft or a third-party vendor) may include a file that matches the YARA rule due to shared code or naming conventions.
  Filter/Exclusion: Filter by FileHash or FileVersion of known legitimate updates, or check for C:\Windows\Temp\ or C:\Program Files\ in the file path.

• Scenario: PowerShell Script for Configuration Management
  Description: A PowerShell script used for configuration management (e.g., PowerShell.exe with Invoke-Command) may generate similar artifacts due to string similarity.
  Filter/Exclusion: Exclude processes with PowerShell.exe in the command line, or filter by ProcessCommandLine containing Invoke-Command or Configuration.

• Scenario: Antivirus Quarantine File
  Description: A file moved to quarantine by an antivirus tool may match the YARA rule due to false positives in signature matching.
  Filter/Exclusion: Check for FileOwner or FileLocation indicating quarantine directories (e.g., `C:\Windows\System3