The hypothesis is that the detection identifies potential Codoso APT activity through custom TCP-based malware communication, which is indicative of command and control interactions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT operations before they escalate.
YARA Rule
rule Codoso_CustomTCP_2
{
meta:
description = "Detects Codoso APT CustomTCP Malware"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3"
strings:
$s1 = "varus_service_x86.dll" fullword ascii
$s2 = "/s %s /p %d /st %d /rt %d" fullword ascii
$s3 = "net start %%1" fullword ascii
$s4 = "ping 127.1 > nul" fullword ascii
$s5 = "McInitMISPAlertEx" fullword ascii
$s6 = "sc start %%1" fullword ascii
$s7 = "B_WKNDNSK^" fullword ascii
$s8 = "net stop %%1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 406KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: Legitimate scheduled backup job using rsync over TCP
Filter/Exclusion: process.name = rsync and destination.path contains /backup/
Scenario: System update via yum or apt using custom TCP ports for internal proxy
Filter/Exclusion: process.name = yum or process.name = apt and destination.ip in internal_proxy_servers
Scenario: Admin using nc (netcat) for internal network diagnostics
Filter/Exclusion: process.name = nc and source.ip in admin_workstations and destination.port in known_diagnostic_ports
Scenario: Database replication using pg_basebackup over TCP
Filter/Exclusion: process.name = pg_basebackup and destination.path contains /data/replica/
Scenario: Internal monitoring tool like Prometheus scraping metrics over TCP
Filter/Exclusion: process.name = prometheus and destination.port in known_monitoring_ports