Adversaries may be using custom encryption or obfuscation techniques to exfiltrate data through encrypted channels, leveraging the Aria SBox 2 algorithm to avoid detection. SOC teams should proactively hunt for this behavior to identify potential data exfiltration attempts that evade traditional signature-based detection methods.
YARA Rule
rule ARIA_SB2
{ meta:
author = "spelissier"
description = "Aria SBox 2"
date = "2020-12"
reference="http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf#page=7"
strings:
$c0 = { E2 4E 54 FC 94 C2 4A CC 62 0D 6A 46 3C 4D 8B D1 5E FA 64 CB B4 97 BE 2B BC 77 2E 03 D3 19 59 C1 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance or patching using Windows Server Update Services (WSUS)
Filter/Exclusion: Check for EventID=19013 (WSUS client event) or ProcessName=wsuapp.exe in the event log.
Scenario: Regular backup jobs using Veeam Backup & Replication
Filter/Exclusion: Filter by ProcessName=vmbackup.exe or check for EventID=10001 (Veeam backup job start event).
Scenario: Administrative task to configure Aria SBox 2 itself (e.g., initial setup or configuration changes)
Filter/Exclusion: Include ProcessName=aria-sbox.exe or check for EventID=4624 with LogonType=10 (interactive logon).
Scenario: Log management tool like Splunk or ELK Stack performing log ingestion or indexing
Filter/Exclusion: Filter by ProcessName=splunkd.exe or ProcessName=java.exe with specific command-line arguments for log ingestion.
Scenario: Automated monitoring tool such as Nagios or Zabbix running health checks or alerts
Filter/Exclusion: Filter by ProcessName=nagios.exe or ProcessName=zabbix_agentd.exe or check for known monitoring tool command-line parameters.