The Codoso CustomTCP Malware is likely establishing covert communication channels over custom TCP ports to exfiltrate data and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term adversary presence and data leakage.
YARA Rule
rule Codoso_CustomTCP
{
meta:
description = "Codoso CustomTCP Malware"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "b95d7f56a686a05398198d317c805924c36f3abacbb1b9e3f590ec0d59f845d8"
strings:
$s4 = "wnyglw" fullword ascii
$s5 = "WorkerRun" fullword ascii
$s7 = "boazdcd" fullword ascii
$s8 = "wayflw" fullword ascii
$s9 = "CODETABL" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 405KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Legitimate scheduled backup job using rsync over TCP
Filter/Exclusion: process.name = rsync and process.args contains "backup"
Scenario: System update via yum or apt using a custom TCP port
Filter/Exclusion: process.name = yum or process.name = apt and process.args contains "update"
Scenario: Admin task using netcat for remote diagnostics
Filter/Exclusion: process.name = netcat and process.args contains "diagnostic" or "test"
Scenario: Internal service communication between microservices using gRPC over TCP
Filter/Exclusion: process.name contains "grpc" and source.ip in internal_network_range
Scenario: Database replication using pg_basebackup over TCP
Filter/Exclusion: process.name = pg_basebackup and process.args contains "replication"