Adversaries may use malware related to PutterPanda - MSUpdater to execute arbitrary code and escalate privileges within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging this malware variant.
YARA Rule
rule APT_Malware_PutterPanda_MsUpdater_3
{
meta:
description = "Detects Malware related to PutterPanda - MSUpdater"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "464149ff23f9c7f4ab2f5cadb76a4f41f969bed0"
strings:
$s0 = "msupdater.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '20.02' */
$s1 = "Explorer.exe \"" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.05' */
$s2 = "FAVORITES.DAT" fullword ascii /* score: '11.02' */
$s4 = "COMSPEC" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.82' */ /* Goodware String - occured 178 times */
condition:
uint16(0) == 0x5a4d and 3 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A system administrator is running a scheduled maintenance task using PowerShell to update system files, which includes executing scripts that resemble malicious activity.
Filter/Exclusion: Check for execution context (process.parent.name == “Windows PowerShell” or process.name == “powershell.exe” and process.parent.name == “Task Scheduler”)
Scenario: A legitimate Windows Update process is running, which may include downloading and executing files that match the signature of the PutterPanda - MSUpdater malware.
Filter/Exclusion: Filter by process.name == “wuauclt.exe” or process.name == “svchost.exe” with process.parent.name == “services.exe”
Scenario: A System Center Configuration Manager (SCCM) job is running, which deploys patches or updates that involve file operations matching the detection logic.
Filter/Exclusion: Check for process.name == “ccmexec.exe” or “ccmsetup.exe” and verify the process is associated with a known SCCM task.
Scenario: A Windows Task Scheduler job is configured to run a legitimate script that performs system cleanup or file integrity checks, which may trigger the rule due to similar file operations.
Filter/Exclusion: Filter by process.name == “schtasks.exe” or process.parent.name == “Task Scheduler” and verify the task is associated with a known legitimate script.
Scenario: A Windows Defender scan is in progress, which may involve scanning and quarantining files that match the PutterPanda - MSUpdater signature.
Filter/Exclusion: Check for process.name == “MsMpEng.exe” or “Windows Defender” and ensure the process is associated with a scheduled or on-demand scan.