The hypothesis is that the detection identifies potential Codoso APT activity involving PGV PVID malware, which is associated with advanced persistent threats and may indicate lateral movement or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT activity before it leads to data compromise or network infiltration.
YARA Rule
rule Codoso_PGV_PVID_1
{
meta:
description = "Detects Codoso APT PGV PVID Malware"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824"
hash2 = "58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3"
hash3 = "934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7"
hash4 = "ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266"
hash5 = "e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1"
strings:
$x1 = "Cookie: pgv_pvid=" ascii
$x2 = "DRIVERS\\ipinip.sys" fullword wide
$s1 = "TsWorkSpaces.dll" fullword ascii
$s2 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide
$s3 = "/selfservice/microsites/search.php?%016I64d" fullword ascii
$s4 = "/solutions/company-size/smb/index.htm?%016I64d" fullword ascii
$s5 = "Microsoft Chart ActiveX Control" fullword wide
$s6 = "MSChartCtrl.ocx" fullword wide
$s7 = "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}" fullword ascii
$s8 = "WUServiceMain" fullword ascii /* Goodware String - occured 2 times */
condition:
( uint16(0) == 0x5a4d and ( 1 of ($x*) or 3 of them ) ) or 5 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Legitimate System Update via Windows Update
Description: A system update from Microsoft’s Windows Update may include files with similar names or hashes to the malware due to naming conventions or false positives.
Filter/Exclusion: Exclude processes initiated by svchost.exe or wuauclt.exe with parent process services.exe and file paths containing C:\Windows\ or C:\Windows\System32\.
Scenario: Scheduled Job for Log Management (e.g., Splunk or ELK)
Description: A scheduled job running log aggregation tools like Splunk or ELK might execute scripts or binaries with names resembling malicious activity.
Filter/Exclusion: Exclude processes with parent process splunkd.exe or java.exe (for ELK), and filter by file paths containing C:\Program Files\Splunk\ or C:\elasticsearch\.
Scenario: Admin Task – PowerShell Script for Patch Management
Description: An administrator may run a PowerShell script to apply patches or manage software updates, which could trigger the rule due to similar command-line arguments or file names.
Filter/Exclusion: Exclude processes with parent process powershell.exe and command-line arguments containing -File or -ScriptBlock, and filter by file paths containing C:\Windows\System32\WindowsPowerShell\v1.0\.
Scenario: Legitimate Antivirus Quarantine Process
Description: Antivirus tools like Bitdefender or Kaspersky may temporarily move files to a quarantine directory, which could match the malware’s file signature.
Filter/Exclusion: Exclude processes with parent process bitdefender.exe or kavservice.exe, and filter by file paths containing C:\ProgramData\Bitdefender\ or `C:\Program Files\Kaspersky\