Detects Codoso APT PGV_PVID Malware

Hunt Hypothesis

The hypothesis is that the detection of Codoso APT PGV_PVID Malware indicates potential adversary persistence and lateral movement within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT activity before it leads to data exfiltration or system compromise.

YARA Rule

rule Codoso_PGV_PVID_6
{

    meta:
        description = "Detects Codoso APT PGV_PVID Malware"
        author = "Florian Roth"
        reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
        date = "2016-01-30"
        hash = "4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f"

    strings:
        $s0 = "rundll32 \"%s\",%s" fullword ascii
        $s1 = "/c ping 127.%d & del \"%s\"" fullword ascii

    condition:
        uint16(0) == 0x5a4d and filesize < 6000KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses pgv_pvid as part of a system cleanup or configuration update.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known name in the Task Scheduler (e.g., CleanupTask, SystemMaintenance).

• Scenario: Admin Performing Disk Cleanup or File Integrity Check
  Description: An administrator uses a tool like DISM or sfc /scannow to check or repair system files, which may temporarily generate pgv_pvid-related activity.
  Filter/Exclusion: Exclude processes with DISM.exe or sfc.exe in the command line, or processes initiated by an admin account with elevated privileges.

• Scenario: Software Update or Patch Deployment
  Description: A patching tool like Windows Update or third-party tools like Microsoft Endpoint Manager (MEM) may use pgv_pvid during deployment.
  Filter/Exclusion: Exclude processes associated with wuauserv, msiexec.exe, or known patching tools with specific command-line arguments.

• Scenario: Log File Analysis or Forensic Tool Usage
  Description: A tool like LogParser or PowerShell script is used to analyze log files, and the term pgv_pvid appears in the logs as part of normal operations.
  Filter/Exclusion: Exclude processes running under logparser.exe, powershell.exe with known forensic scripts, or processes accessing log files in the C:\Windows\System32\LogFiles directory.

• Scenario: Custom Script for Data Migration or Backup
  Description: A custom script (e.g., written in Python or PowerShell) is used to migrate data or perform backups