APT adversaries are leveraging custom malware associated with PutterPanda to establish persistent, stealthy access within target networks, often using obfuscated payloads to evade traditional detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and disrupt advanced persistent threats before they exfiltrate sensitive data or move laterally within the environment.
YARA Rule
rule APT_Malware_PutterPanda_Rel
{
meta:
description = "Detects an APT malware related to PutterPanda"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "5367e183df155e3133d916f7080ef973f7741d34"
strings:
$x0 = "app.stream-media.net" fullword ascii /* score: '12.03' */
$x1 = "File %s does'nt exist or is forbidden to acess!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.035' */
$s6 = "GetProcessAddresss of pHttpQueryInfoA Failed!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '32.02' */
$s7 = "Connect %s error!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.04' */
$s9 = "Download file %s successfully!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.03' */
$s10 = "index.tmp" fullword ascii /* score: '14.03' */
$s11 = "Execute PE Successfully" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.03' */
$s13 = "aa/22/success.xml" fullword ascii /* score: '12.005' */
$s16 = "aa/22/index.asp" fullword ascii /* score: '11.02' */
$s18 = "File %s a Non-Pe File" fullword ascii /* score: '8.04' */
$s19 = "SendRequset error!" fullword ascii /* score: '8.04' */
$s20 = "filelist[%d]=%s" fullword ascii /* score: '7.015' */
condition:
( uint16(0) == 0x5a4d and 1 of ($x*) ) or ( 4 of ($s*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Legitimate system update using Windows Update
Description: A system update process may trigger the rule due to the presence of known file patterns or strings associated with the PutterPanda YARA rule.
Filter/Exclusion: Check the Process field for svchost.exe or wuauclt.exe, and filter by Parent Process being explorer.exe or services.exe.
Scenario: Scheduled backup job using Veeam Backup & Replication
Description: Veeam may generate files or use strings that match the YARA rule, especially during backup operations.
Filter/Exclusion: Filter by Process field containing veeam.exe or Veeam.Backup.exe, and check for File Path containing C:\Program Files\Veeam\.
Scenario: Admin task using PowerShell for log management
Description: A PowerShell script used for log rotation or management may contain strings or file patterns that trigger the PutterPanda rule.
Filter/Exclusion: Filter by Process field containing powershell.exe, and check for File Path containing C:\Windows\System32\WindowsPowerShell\v1.0\.
Scenario: Legitimate software installation using Microsoft Endpoint Configuration Manager (MECM)
Description: MECM may deploy software packages that include files or strings matching the YARA rule during deployment.
Filter/Exclusion: Filter by Process field containing ccmexec.exe or mpssvc.exe, and check for File Path containing C:\Windows\System32\ccm\.
Scenario: Antivirus scan using Microsoft Defender ATP
Description: Defender ATP may scan files that include patterns from the PutterPanda YARA rule during a full system scan.