The “libyan scorpions” rule detects potential adversarial activity involving the use of a specific YARA signature associated with known malicious behavior, likely related to malware distribution or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule libyan_scorpions
{
meta:
source = "https://cyberkov.com/wp-content/uploads/2016/09/Hunting-Libyan-Scorpions-EN.pdf"
sample = "9d8e5ccd4cf543b4b41e4c6a1caae1409076a26ee74c61c148dffd3ce87d7787"
strings:
$ip_1 = "41.208.110.46" ascii wide
$domain_1 = "winmeif.myq-see.com" ascii wide nocase
$domain_2 = "wininit.myq-see.com" ascii wide nocase
$domain_3 = "samsung.ddns.me" ascii wide nocase
$domain_4 = "collge.myq-see.com" ascii wide nocase
$domain_5 = "sara2011.no-ip.biz" ascii wide nocase
condition:
androguard.url(/41\.208\.110\.46/) or cuckoo.network.http_request(/41\.208\.110\.46/) or
androguard.url(/winmeif.myq-see.com/i) or cuckoo.network.dns_lookup(/winmeif.myq-see.com/i) or
androguard.url(/wininit.myq-see.com/i) or cuckoo.network.dns_lookup(/wininit.myq-see.com/i) or
androguard.url(/samsung.ddns.me/i) or cuckoo.network.dns_lookup(/samsung.ddns.me/i) or
androguard.url(/collge.myq-see.com/i) or cuckoo.network.dns_lookup(/collge.myq-see.com/i) or
androguard.url(/sara2011.no-ip.biz/i) or cuckoo.network.dns_lookup(/sara2011.no-ip.biz/i) or
any of ($domain_*) or any of ($ip_*) or
androguard.certificate.sha1("DFFDD3C42FA06BCEA9D65B8A2E980851383BD1E3")
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Legitimate system update using yum or dnf in Red Hat-based systems
Filter/Exclusion: process.name: yum or process.name: dnf
Scenario: Scheduled backup job using rsync or tar
Filter/Exclusion: process.name: rsync or process.name: tar
Scenario: Administrative task using systemd to manage services
Filter/Exclusion: process.name: systemd or process.name: systemctl
Scenario: Log file rotation using logrotate
Filter/Exclusion: process.name: logrotate
Scenario: User-initiated file compression using gzip or zip
Filter/Exclusion: process.name: gzip or process.name: zip