Detects Codoso APT PlugX Malware

Hunt Hypothesis

The hypothesis is that the detection identifies potential PlugX malware activity associated with the Codoso APT, leveraging suspicious file artifacts and network behavior indicative of command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Codoso APT compromises before significant damage occurs.

YARA Rule

rule Codoso_PlugX_1
{

    meta:
        description = "Detects Codoso APT PlugX Malware"
        author = "Florian Roth"
        reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
        date = "2016-01-30"
        super_rule = 1
        hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b"
        hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8"
        hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2"

    strings:
        $s1 = "GETPASSWORD1" fullword ascii
        $s2 = "NvSmartMax.dll" fullword ascii
        $s3 = "LICENSEDLG" fullword ascii

    condition:
        uint16(0) == 0x5a4d and filesize < 800KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled backup job using Veeam
  Description: A backup job initiated by Veeam may trigger the rule due to similar file patterns or network behavior.
  Filter/Exclusion: Check for process.name == "veeam.exe" or file.name contains "veeam", and exclude traffic originating from the Veeam backup server.

• Scenario: Admin using PowerShell for system cleanup
  Description: An administrator may run a PowerShell script using PowerShell.exe that resembles PlugX’s behavior, such as downloading or executing scripts.
  Filter/Exclusion: Filter by process.name == "powershell.exe" and check for known admin scripts or use process.user == "Administrator" with a whitelisted command line.

• Scenario: Software update using SCCM (System Center Configuration Manager)
  Description: A software update initiated by SCCM may involve downloading payloads or executing scripts, which could be flagged by the rule.
  Filter/Exclusion: Use process.name == "ccmexec.exe" or file.name contains "ccm" and verify the source IP against the SCCM server’s IP range.

• Scenario: Log file analysis using Splunk
  Description: Splunk may be used to parse and analyze log files, which could involve reading or writing files that match the PlugX signature.
  Filter/Exclusion: Filter by process.name == "splunkd.exe" or process.name == "splunkforwarder.exe" and check for log file access patterns.

• Scenario: Network monitoring with Wireshark
  Description: Wireshark may be used to capture and analyze network traffic, which could involve similar packet behaviors as PlugX.
  Filter/Exclusion: Filter by process.name == "wireshark.exe" and exclude traffic from known internal monitoring tools