Detects Codoso APT Gh0st Malware

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Gh0st malware activity associated with the Codoso APT, which may indicate initial compromise or lateral movement within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT activity before it leads to data exfiltration or system compromise.

YARA Rule

rule Codoso_Gh0st_3
{

    meta:
        description = "Detects Codoso APT Gh0st Malware"
        author = "Florian Roth"
        reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
        date = "2016-01-30"
        hash = "bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd"

    strings:
        $x1 = "RunMeByDLL32" fullword ascii
        $s1 = "svchost.dll" fullword wide
        $s2 = "server.dll" fullword ascii
        $s3 = "Copyright ? 2008" fullword wide
        $s4 = "testsupdate33" fullword ascii
        $s5 = "Device Protect Application" fullword wide
        $s6 = "MSVCP60.DLL" fullword ascii /* Goodware String - occured 1 times */
        $s7 = "mail-news.eicp.net" fullword ascii

    condition:
        uint16(0) == 0x5a4d and filesize < 195KB and $x1 or 4 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update using Windows Update
  Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "svchost.exe" with parent.name == "services.exe"

• Scenario: Scheduled backup job using Veeam Backup & Replication
  Filter/Exclusion: process.name != "vmbackup.exe" or process.name != "vmbackupagent.exe" with parent.name == "services.exe"

• Scenario: Admin performing disk cleanup using Disk Cleanup tool
  Filter/Exclusion: process.name != "cleanmgr.exe" or process.name != "explorer.exe" with parent.name == "explorer.exe"

• Scenario: Running a legitimate PowerShell script for system monitoring
  Filter/Exclusion: process.name != "powershell.exe" or script.block != "Codoso APT Gh0st Malware" with user == "Domain\Administrator"

• Scenario: Using Microsoft Endpoint Configuration Manager for software deployment
  Filter/Exclusion: process.name != "ccmexec.exe" or process.name != "mpssvc.exe" with parent.name == "services.exe"