Sofacy Trojan Loader Activity
Detects Trojan loader activity as used by APT28
Sigma rule (View on GitHub)
1title: Sofacy Trojan Loader Activity
2id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
3status: test
4description: Detects Trojan loader activity as used by APT28
5references:
6 - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
7 - https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110
8 - https://twitter.com/ClearskySec/status/960924755355369472
9author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
10date: 2018-03-01
11modified: 2023-05-31
12tags:
13 - attack.defense-evasion
14 - attack.execution
15 - attack.g0007
16 - attack.t1059.003
17 - attack.t1218.011
18 - car.2013-10-002
19 - detection.emerging-threats
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_path:
25 Image|endswith: '\rundll32.exe'
26 CommandLine|contains:
27 - '%LOCALAPPDATA%'
28 - '\AppData\Local\'
29 selection_extensions:
30 - CommandLine|contains: '.dat",'
31 - CommandLine|endswith:
32 - '.dll #1'
33 - '.dll" #1'
34 - '.dll",#1'
35 filter_main_exclude_temp:
36 CommandLine|contains: '\AppData\Local\Temp\'
37 condition: all of selection_* and not 1 of filter_main_*
38falsepositives:
39 - Unknown
40level: high
References
-
Unit 42 examines recent Sofacy group activities including multiple attacks to government entities.
Read More -
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Read More
Related rules
- ZxShell Malware
- APT29 2018 Phishing Campaign CommandLine Indicators
- Fireball Archer Install
- HTML Help HH.EXE Suspicious Child Process
- HackTool - RedMimicry Winnti Playbook Execution