Detects Malware related to PutterPanda - MSUpdater

Hunt Hypothesis

Adversaries may use malware related to PutterPanda - MSUpdater to establish persistence and execute malicious payloads on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats leveraging this malware family.

YARA Rule

rule APT_Malware_PutterPanda_MsUpdater_2 
{

    meta:
        description = "Detects Malware related to PutterPanda - MSUpdater"
        author = "Florian Roth"
        score = 70
        reference = "VT Analysis"
        date = "2015-06-03"
        hash = "365b5537e3495f8ecfabe2597399b1f1226879b1"
   
    strings:
        $s0 = "winsta0\\default" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.99' */ /* Goodware String - occured 6 times */
        $s1 = "EXPLORER.EXE" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.98' */ /* Goodware String - occured 22 times */
        $s2 = "WNetEnumResourceA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.97' */ /* Goodware String - occured 29 times */
        $s3 = "explorer.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.97' */ /* Goodware String - occured 31 times */
        $s4 = "CreateProcessAsUserA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 86 times */
        $s5 = "HttpSendRequestExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 87 times */
        $s6 = "HttpEndRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 91 times */
        $s7 = "GetModuleBaseNameA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.88' */ /* Goodware String - occured 121 times */
        $s8 = "GetModuleFileNameExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.86' */ /* Goodware String - occured 144 times */
        $s9 = "HttpSendRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.85' */ /* Goodware String - occured 154 times */
        $s10 = "HttpOpenRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.84' */ /* Goodware String - occured 159 times */
        $s11 = "InternetConnectA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.82' */ /* Goodware String - occured 183 times */
        $s12 = "Process32Next" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.80' */ /* Goodware String - occured 204 times */
        $s13 = "Process32First" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.79' */ /* Goodware String - occured 210 times */
        $s14 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.78' */ /* Goodware String - occured 222 times */
        $s15 = "EnumProcesses" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.73' */ /* Goodware String - occured 273 times */
        $s16 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.66' */ /* Goodware String - occured 336 times */
        $s17 = "PeekNamedPipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.65' */ /* Goodware String - occured 347 times */
        $s18 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.59' */ /* Goodware String - occured 410 times */
        $s19 = "PSAPI.DLL" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.58' */ /* Goodware String - occured 420 times */
        $s20 = "SPSSSQ" fullword ascii /* score: '4.51' */
   
    condition:
        uint16(0) == 0x5a4d and filesize < 220KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 21 string patterns in its detection logic.

References

• VT Analysis
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Windows Update or Group Policy Management Console (GPMC) to deploy updates, which may include components with similar names to MSUpdater.
  Filter/Exclusion: Check for ProcessName containing “wuau” or “gpmc” and exclude processes running under LocalSystem or Administrators group.

• Scenario: A scheduled task is configured to run a legitimate maintenance script that temporarily uses a process name similar to MSUpdater.
  Filter/Exclusion: Filter by TaskName or CommandLine containing known legitimate scripts (e.g., schtasks.exe with a known task name).

• Scenario: A third-party tool such as Microsoft System Center Configuration Manager (SCCM) or Microsoft Endpoint Manager is performing system updates or patching, which may trigger the rule.
  Filter/Exclusion: Check for ProcessName containing “ConfigMgr” or “Intune” and exclude processes with ParentProcessName matching known SCCM or Intune services.

• Scenario: A system diagnostic tool like Windows Performance Analyzer (WPA) or Windows Resource Monitor is running, which may have processes with similar names.
  Filter/Exclusion: Filter by ProcessName containing “wpa” or “resmon” and exclude processes with ParentProcessName matching “explorer.exe” or “services.exe”.

• Scenario: A custom script or automation tool (e.g., PowerShell or Task Scheduler) is being used to perform routine system maintenance, which may include processes with names similar to MSUpdater.
  Filter/Exclusion: Check for CommandLine containing PowerShell or Task Scheduler commands, and exclude processes with User field set to “SYSTEM” or “Administrators”.