Adversaries may use malware related to Putter Panda to establish persistence and exfiltrate data within Azure environments. Proactively hunting for this behavior helps SOC teams identify and mitigate advanced threats before significant data loss or system compromise occurs.
YARA Rule
rule APT_Malware_PutterPanda_PSAPI
{
meta:
description = "Detects a malware related to Putter Panda"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "f93a7945a33145bb6c106a51f08d8f44eab1cdf5"
strings:
$s0 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */ /* score: '12.03' */
$s1 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '8.045' */
$s2 = "psapi.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 54 times */
$s3 = "urlmon.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 471 times */
$s4 = "WinHttpGetProxyForUrl" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 179 times */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate software update.
Filter/Exclusion: Check for ProcessName containing powershell.exe and CommandLine containing -File with a path to a known trusted script or update tool.
Scenario: A scheduled job runs Task Scheduler to clean up temporary files, which includes executing a script named putter_panda_cleanup.ps1.
Filter/Exclusion: Exclude processes where ProcessName is schtasks.exe and the script path is known to be part of a legitimate cleanup routine.
Scenario: An IT admin is using Windows Admin Center to perform a system health check, which triggers a script named putter_panda_health_check.bat.
Filter/Exclusion: Exclude processes where ProcessName is winrm.exe or wac.exe and the script path is known to be part of a trusted admin tool.
Scenario: A database administrator is using SQL Server Agent to run a backup job that includes a script named putter_panda_backup.sql.
Filter/Exclusion: Exclude processes where ProcessName is sqlagent.exe and the script path is known to be part of a legitimate backup routine.
Scenario: A user is running a legitimate security tool like Malwarebytes or Bitdefender, which includes a module with a similar name to Putter Panda.
Filter/Exclusion: Exclude processes where ProcessName is mbam.exe, bdagent.exe, or other known security tool executables.