The detection identifies potential APT Hellsing implant strings used by adversaries to establish persistence or execute malicious payloads within the environment. SOC teams should proactively hunt for this behavior to detect early-stage compromise and prevent lateral movement or data exfiltration.
YARA Rule
rule apt_hellsing_implantstrings
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing implants"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="the file uploaded failed !"
$a2="ping 127.0.0.1"
$b1="the file downloaded failed !"
$b2="common.asp"
$c="xweber_server.exe"
$d="action="
$debugpath1="d:\\Hellsing\\release\\msger\\" nocase
$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase
$debugpath3="D:\\Hellsing\\release\\exe\\" nocase
$debugpath4="d:\\hellsing\\sys\\xkat\\" nocase
$debugpath5="e:\\Hellsing\\release\\clare" nocase
$debugpath6="e:\\Hellsing\\release\\irene\\" nocase
$debugpath7="d:\\hellsing\\sys\\irene\\" nocase
$e="msger_server.dll"
$f="ServiceMain"
condition:
($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
}This YARA rule can be deployed in the following contexts:
This rule contains 16 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that includes strings matching the YARA rule due to common system maintenance commands or log parsing.
Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler services, or filter by command-line arguments containing schtasks or scheduling.
Scenario: PowerShell Script for Log Analysis
Description: A security team uses a PowerShell script to parse system logs, which includes strings similar to the Hellsing implant due to log formatting or regex patterns.
Filter/Exclusion: Exclude processes with powershell.exe and command-line arguments containing log, analyze, or parse.
Scenario: Admin Task for Patch Deployment
Description: A patch deployment script or tool (e.g., Windows Update, WSUS, or SCCM) includes strings that match the YARA rule due to hardcoded payloads or configuration files.
Filter/Exclusion: Exclude processes related to Windows Update services, wsusutil.exe, or ccmexec.exe.
Scenario: Malware Analysis Environment
Description: A sandbox or malware analysis tool (e.g., Cuckoo, Joe Sandbox, or Binary Ninja) includes strings from known malicious samples that match the rule.
Filter/Exclusion: Exclude processes running in a sandboxed environment (e.g., cuckoo, joe, or sandboxed) or with specific environment variables indicating analysis mode.
Scenario: Custom Tool for Internal Monitoring
Description: An internal tool developed by the security team for monitoring or incident response includes strings that match the YARA rule due to custom logging or alerting mechanisms.
Filter/Exclusion: Exclude processes with custom tool names (e.g., `internal-monitor