apt hellsing irene

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential command and control activity associated with the APT group Hellsing, specifically linked to the Irene variant, based on YARA signature matching. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and mitigate potential lateral movement or data exfiltration by this advanced threat actor.

YARA Rule

rule apt_hellsing_irene
{
    
    meta:
        Author = "Costin Raiu, Kaspersky Lab"
        Date = "2015-04-07"
        Description = "detection for Hellsing msger irene installer"
        Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"

    strings: 
        $mz="MZ"
        $a1="\\Drivers\\usbmgr.tmp" wide
        $a2="\\Drivers\\usbmgr.sys" wide
        $a3="common_loadDriver CreateFile error! " 
        $a4="common_loadDriver StartService error && GetLastError():%d! " 
        $a5="irene" wide
        $a6="aPLib v0.43 - the smaller the better" 

    condition:
        ($mz at 0) and (4 of ($a*)) and filesize < 500000
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is running a script or tool that matches the YARA signature due to similar file names or content.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known maintenance name (e.g., MaintenanceTask_01).

• Scenario: Admin Performing File Integrity Check
  Description: An administrator is using PowerShell or Sysinternals tools (e.g., Process Explorer, Autoruns) to check for file integrity or analyze system behavior, which may trigger the rule.
  Filter/Exclusion: Exclude processes launched by powershell.exe with a known admin script name (e.g., CheckIntegrity.ps1) or from the Sysinternals directory.

• Scenario: Log File Analysis Using Splunk or ELK
  Description: A log analysis tool like Splunk or ELK Stack is parsing system logs and inadvertently matching the YARA signature due to similar string patterns.
  Filter/Exclusion: Exclude processes related to splunkd.exe, logstash, or kibana and filter based on log file paths (e.g., C:\ProgramData\splunk\logs\).

• Scenario: Software Update or Patch Deployment
  Description: A legitimate software update or patch deployment using tools like Chocolatey, WSUS, or Group Policy may include files that match the YARA signature.
  Filter/Exclusion: Exclude processes initiated by choco.exe, wsusutil.exe, or gpupdate.exe, and filter by known update directories (e.g., C:\Windows\Temp\ or C:\Program Files\WindowsUpdate\).