The hypothesis is that the detection identifies potential PlugX malware activity associated with the Codoso APT, which may indicate initial compromise or command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT activity before it leads to data exfiltration or lateral movement.
YARA Rule
rule Codoso_PGV_PVID_4
{
meta:
description = "Detects Codoso APT PlugX Malware"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
strings:
$x1 = "dropper, Version 1.0" fullword wide
$x2 = "dropper" fullword wide
$x3 = "DROPPER" fullword wide
$x4 = "About dropper" fullword wide
$s1 = "Microsoft Windows Manager Utility" fullword wide
$s2 = "SYSTEM\\CurrentControlSet\\Services\\" fullword ascii /* Goodware String - occured 9 times */
$s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */
$s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii /* Goodware String - occured 46 times */
$s5 = "<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>" fullword ascii /* Goodware String - occured 65 times */
condition:
uint16(0) == 0x5a4d and filesize < 900KB and 1 of ($x*) and 2 of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script to clean temporary files or update system settings.
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE "*clean-temp-files*"
Scenario: Admin using Cobalt Strike for red team exercise
Description: A security team member is conducting a red team simulation using Cobalt Strike, which may trigger similar behavior to PlugX.
Filter/Exclusion: process.name != "cobaltstrike.exe" OR user.account NOT LIKE "*security-team*"
Scenario: System update using Windows Update or Microsoft Endpoint Manager
Description: A Windows Update or Microsoft Endpoint Manager (MEM) task is deploying patches or updates, which may involve similar command-line or script execution.
Filter/Exclusion: process.name != "wuauclt.exe" AND process.name != "setup.exe" AND process.name != "msiexec.exe"
Scenario: Legitimate use of PsExec for remote administration
Description: An administrator uses PsExec to run commands on remote systems as part of routine administration.
Filter/Exclusion: process.name != "psexec.exe" OR user.account NOT LIKE "*admin-user*"
Scenario: Automated backup script using robocopy or similar tool
Description: A backup script runs regularly using robocopy or another file-copying utility, which may mimic malware behavior.
Filter/Exclusion: process.name != "robocopy.exe" OR process.args NOT LIKE "*backup-script*"