A dropper is being used to deploy the REDLEAVES and PlugX implants via side loading, indicating potential lateral movement and persistence in the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware deployment attempts before they establish deeper network access.
YARA Rule
rule Dropper_DeploysMalwareViaSideLoading {
meta:
description = "Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX"
author = "USG"
true_positive = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. "
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
strings:
$UniqueString = {2e 6c 6e 6b [0-14] 61 76 70 75 69 2e 65 78 65} // ".lnk" near "avpui.exe"
$PsuedoRandomStringGenerator = {b9 1a [0-6] f7 f9 46 80 c2 41 88 54 35 8b 83 fe 64} // Unique function that generates a 100 character pseudo random string.
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled System Update via Windows Server Update Services (WSUS)
Description: A legitimate scheduled job pushes updates to Windows systems using WSUS, which may involve side-loading binaries.
Filter/Exclusion: Check for CommandLine containing wsusutil or wuauclt, and filter by ProcessName matching wsusutil.exe or wuauclt.exe.
Scenario: Deployment of a Custom Reporting Tool via SCCM (System Center Configuration Manager)
Description: An IT admin deploys a custom reporting tool using SCCM, which may involve side-loading an executable.
Filter/Exclusion: Filter by ProcessName matching ccmexec.exe or smsexec.exe, and check for CommandLine containing sccm or deploy.
Scenario: User-Initiated Software Installation via Group Policy Preferences (GPP)
Description: An admin uses GPP to deploy a legitimate application, which may involve side-loading a payload.
Filter/Exclusion: Filter by ProcessName matching gpupdate.exe or gpreference.exe, and check for CommandLine containing gpupdate or gpreference.
Scenario: Legitimate Third-Party Software Installation via MSI Installer
Description: A user installs a third-party application using an MSI installer, which may trigger side-loading behavior.
Filter/Exclusion: Filter by ProcessName matching msiexec.exe, and check for CommandLine containing /i or /package with known legitimate MSI files.
Scenario: Admin Task to Deploy a Custom Script via Task Scheduler
Description: An admin schedules a PowerShell script to run via Task Scheduler, which may involve side-loading a malicious payload.
Filter/Exclusion: Filter by ProcessName matching