apt hellsing msgertype2

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential adversary activity associated with the APT group Hellsing, specifically leveraging the msgertype2 technique, which may indicate initial compromise or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage threats and prevent further network infiltration.

YARA Rule

rule apt_hellsing_msgertype2
{
    
    meta:
        Author = "Costin Raiu, Kaspersky Lab"
        Date = "2015-04-07"
        Description = "detection for Hellsing msger type 2 implants"
        Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"

    strings:
        $mz="MZ"
        $a1="%s\\system\\%d.txt"
        $a2="_msger"
        $a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
        $a4="http://%s/data/%s.1000001000"
        $a5="/lib/common.asp?action=user_upload&file="
        $a6="%02X-%02X-%02X-%02X-%02X-%02X"
    
    condition:
        ($mz at 0) and (4 of ($a*)) and filesize < 500000
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a scheduled disk cleanup or log rotation, uses a tool like logrotate or cleanmgr.exe and generates network traffic resembling the rule’s signature.
  Filter/Exclusion: Exclude processes initiated by cron (Linux) or Task Scheduler (Windows) with known maintenance scripts.

• Scenario: Admin Performing Network Configuration via PowerShell
  Description: An administrator uses PowerShell to configure network settings, such as updating routing tables or firewall rules, which may trigger the rule due to similar command patterns.
  Filter/Exclusion: Exclude processes with the PowerShell.exe executable and command-line arguments containing netsh, route, or firewall.

• Scenario: Legitimate Software Update via SCCM
  Description: A software update initiated by Microsoft System Center Configuration Manager (SCCM) may generate network traffic that matches the YARA rule due to similar payload structures.
  Filter/Exclusion: Exclude traffic originating from the SCCM client (ccmexec.exe) or associated update packages.

• Scenario: Database Backup Job Using SQL Server Agent
  Description: A database backup job executed via SQL Server Agent may involve network communication that resembles the rule’s signature, especially if the backup tool uses a similar protocol or payload.
  Filter/Exclusion: Exclude processes initiated by sqlagent.exe or associated with SQL Server backup tasks.

• Scenario: Security Tool Performing Network Scanning
  Description: A legitimate security tool like Nmap or Masscan may generate network traffic that matches the rule’s signature during a routine scan or vulnerability assessment.
  Filter/Exclusion: Exclude processes with the nmap.exe or masscan.exe executable, or traffic originating from known security scanning tools.