Adversaries may use malware related to PutterPanda - MSUpdater to execute arbitrary code and maintain persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging this malware variant.
YARA Rule
rule APT_Malware_PutterPanda_MsUpdater_1
{
meta:
description = "Detects Malware related to PutterPanda - MSUpdater"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "b55072b67543f58c096571c841a560c53d72f01a"
strings:
$x0 = "msupdate.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
$x1 = "msupdate" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.01' */
$s1 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */
$s2 = "Automatic Updates" fullword wide /* PEStudio Blacklist: strings */ /* score: '4.98' */ /* Goodware String - occured 22 times */
$s3 = "VirtualProtectEx" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.93' */ /* Goodware String - occured 68 times */
$s4 = "Invalid parameter" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.93' */ /* Goodware String - occured 69 times */
$s5 = "VirtualAllocEx" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 95 times */
$s6 = "WriteProcessMemory" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.87' */ /* Goodware String - occured 131 times */
condition:
( uint16(0) == 0x5a4d and 1 of ($x*) and 4 of ($s*) ) or ( 1 of ($x*) and all of ($s*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: A system administrator is manually updating the Microsoft Windows Update service using the wuauclt.exe tool.
Filter/Exclusion: Exclude processes where the executable path contains wuauclt.exe or where the process is initiated by a user with administrative privileges and the command line includes --update or --sync.
Scenario: A scheduled task runs the msiexec.exe utility to install a legitimate Microsoft update package.
Filter/Exclusion: Exclude processes where the executable path contains msiexec.exe and the command line includes /i followed by a valid Microsoft update MSI file path.
Scenario: A security tool like Microsoft Defender performs a full system scan and temporarily loads the MsMpEng.exe process.
Filter/Exclusion: Exclude processes where the executable path contains MsMpEng.exe and the process is associated with a known Microsoft security service or scheduled scan.
Scenario: An IT team is using PowerShell to run a script that interacts with the Windows Update API (wuapi.dll) to manage update settings.
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the command line includes Import-Module or references wuapi.dll in a known IT management script.
Scenario: A system is running a Windows Server Update Services (WSUS) client that synchronizes updates from a local WSUS server.
Filter/Exclusion: Exclude processes where the executable path contains wuauclt.exe and the process is initiated from a machine configured as a WSUS client with a known internal update server.