Detects malware from Project Sauron APT

Hunt Hypothesis

Malware associated with the Project Sauron APT is being executed in the environment, indicating potential compromise through targeted attacks. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversarial activity before it leads to data exfiltration or system control.

YARA Rule

rule APT_Project_Sauron_Custom_M1 
{

    meta:
        description = "Detects malware from Project Sauron APT"
        author = "FLorian Roth"
        reference = "https://goo.gl/eFoP4A"
        date = "2016-08-09"
        hash1 = "9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9"

    strings:
        $s1 = "ncnfloc.dll" fullword wide
        $s4 = "Network Configuration Locator" fullword wide

        $op0 = { 80 75 6e 85 c0 79 6a 66 41 83 38 0a 75 63 0f b7 } /* Opcode */
        $op1 = { 80 75 29 85 c9 79 25 b9 01 } /* Opcode */
        $op2 = { 2b d8 48 89 7c 24 38 44 89 6c 24 40 83 c3 08 89 } /* Opcode */

    condition:
        ( uint16(0) == 0x5a4d and filesize < 200KB and ( all of ($s*) ) and 1 of ($op*) ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://goo.gl/eFoP4A
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses curl to download a file from a known internal server.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known internal server IP in the URL.

• Scenario: Admin Performing Software Update via PowerShell
  Description: An admin uses PowerShell to download and install a legitimate software update from a trusted internal repository.
  Filter/Exclusion: Exclude processes initiated by powershell.exe with a command line containing -ExecutionPolicy Bypass and a URL matching a known internal update server.

• Scenario: Database Backup Job Using rsync
  Description: A database backup job uses rsync to transfer data between servers, which may include files with suspicious names.
  Filter/Exclusion: Exclude processes initiated by rsync with destination paths matching internal backup directories or servers in the same domain.

• Scenario: User Downloading a Known Malware Sample for Analysis
  Description: A security analyst downloads a known malware sample (e.g., malicious.exe) from a sandboxing platform for analysis.
  Filter/Exclusion: Exclude processes initiated by wget or curl with URLs containing sandbox or analysis in the domain.

• Scenario: Log Collection Agent Transferring Logs
  Description: A log collection agent (e.g., logstash, fluentd) transfers logs to a central logging server, which may include files with suspicious names.
  Filter/Exclusion: Exclude processes initiated by logstash or fluentd with destination paths matching known log servers or internal log directories.