The hypothesis is that the detected artifacts indicate the presence of the Drovorub malware family, which is associated with APT28 and is used for command and control activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence and data exfiltration threats.
YARA Rule
rule APT_APT28_drovorub_library_and_unique_strings {
meta:
description = "Rule to detect Drovorub-server, Drovorub-agent, and Drovorub-client"
author = "NSA / FBI"
reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
date = "2020-08-13"
score = 75
id = "8e010356-09c7-5897-9cbe-051cd0800502"
strings:
$s1 = "Poco" ascii wide
$s2 = "Json" ascii wide
$s3 = "OpenSSL" ascii wide
$a1 = "clientid" ascii wide
$a2 = "-----BEGIN" ascii wide
$a3 = "-----END" ascii wide
$a4 = "tunnel" ascii wide
condition:
(filesize > 1MB and filesize < 10MB and (uint32(0) == 0x464c457f)) and (#s1 > 20 and #s2 > 15 and #s3 > 15 and all of ($a*))
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task using schtasks.exe is configured to run a legitimate maintenance script that has a similar file name or behavior to Drovorub components.
Filter/Exclusion: Exclude processes where the file path contains C:\Windows\Tasks\ or where the parent process is schtasks.exe.
Scenario: Admin using PowerShell to manage services
Description: An administrator is using PowerShell to start or stop services, and the script or command resembles Drovorub’s service management behavior.
Filter/Exclusion: Exclude processes where the command line includes -Command or -File with a known legitimate PowerShell script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Legitimate software deployment using SCCM
Description: A System Center Configuration Manager (SCCM) deployment is triggering a script or executable that matches the YARA signature due to similar file names or strings.
Filter/Exclusion: Exclude processes where the parent process is ccmexec.exe or where the command line includes SCCM or Deployment.
Scenario: Antivirus or endpoint protection tool scanning
Description: A legitimate antivirus tool (e.g., CrowdStrike, Bitdefender) is performing a scan and triggering the rule due to similar file names or behaviors.
Filter/Exclusion: Exclude processes where the file name contains av or antivirus or where the parent process is a known endpoint protection tool (e.g., mpsvc.exe, sfos.exe).
Scenario: DevOps pipeline executing a build script
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is executing a build script that includes similar command-line