Statically linked POCO and OpenSSL libraries may indicate the presence of malicious payloads or covert communication channels, commonly associated with advanced persistent threats like Drovorub. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
YARA Rule
rule APT_APT28_generic_poco_openssl {
meta:
description = "Rule to detect statically linked POCO and OpenSSL libraries (COULD be Drovorub related and should be further investigated)"
author = "NSA / FBI"
reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
date = "2020-08-13"
score = 50
id = "cab3f67e-e239-5aa6-b691-8c6e2c620b5a"
strings:
$mw1 = { 89 F1 48 89 FE 48 89 D7 48 F7 C6 FF FF FF FF 0F 84 6B 02 00 00 48 F7 C7
FF FF FF FF 0F 84 5E 02 00 00 48 8D 2D }
$mw2 = { 41 54 49 89 D4 55 53 F6 47 19 04 48 8B 2E 75 08 31 DB F6 45 00 03 75 }
$mw3 = { 85C0BA15000000750989D05BC30F1F44 0000BE }
$mw4 = { 53 8A 47 08 3C 06 74 21 84 C0 74 1D 3C 07 74 20 B9 ?? ?? ?? ?? BA FD 03
00 00 BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 E8 06 3C 01 77 2B 48 8B 1F 48 8B 73
10 48 89 DF E8 ?? ?? ?? ?? 48 8D 43 08 48 C7 43 10 00 00 00 00 48 C7 43 28 00 00 00 00 48
89 43 18 48 89 43 20 5B C3 }
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Development Environment with Static Libraries
Description: A developer may statically link POCO and OpenSSL libraries during local testing or build processes.
Filter/Exclusion: process.name != "g++" && process.name != "clang++" && process.name != "cmake"
Scenario: Scheduled System Updates or Patching Jobs
Description: Automated scripts or scheduled tasks may use static linking for OpenSSL or POCO during system updates or patching.
Filter/Exclusion: process.name != "update-manager" && process.name != "apt" && process.name != "yum"
Scenario: Internal Tool for Data Processing
Description: An internal tool (e.g., data_processor) may use statically linked OpenSSL and POCO for secure data handling.
Filter/Exclusion: process.name != "data_processor" && process.name != "internal_tool"
Scenario: Admin Task for Configuration Backup
Description: An admin task (e.g., config_backup.sh) may use OpenSSL for encrypting configuration files, potentially triggering the rule.
Filter/Exclusion: process.name != "config_backup.sh" && process.name != "backup_script"
Scenario: CI/CD Pipeline Artifact Packaging
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) may package artifacts with statically linked libraries during build stages.
Filter/Exclusion: process.name != "jenkins" && process.name != "gitlab-runner" && process.name != "build_script"