Adversaries may use this spyware to exfiltrate sensitive data and maintain long-term persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and stealthy malware activity.
YARA Rule
rule Atmos_Malware
{
meta:
description = "Generic Spyware.Citadel.Atmos Signature"
author = "[email protected]"
reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
date = "20/08/2016"
// May only the challenge guide you
strings:
// Check for the presence of MZ and kutuzov license identifier
$MZ = {4D 5A}
$LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii
// TokenSpy identifiers
$TS1 = "X-TS-Rule-Name: %s" wide ascii
$TS2 = "X-TS-Rule-PatternID: %u" wide ascii
$TS3 = "X-TS-BotID: %s" wide ascii
$TS4 = "X-TS-Domain: %s" wide ascii
$TS5 = "X-TS-SessionID: %s" wide ascii
$TS6 = "X-TS-Header-Cookie: %S" wide ascii
$TS7 = "X-TS-Header-Referer: %S" wide ascii
$TS8 = "X-TS-Header-AcceptEncoding: %S" wide ascii
$TS9 = "X-TS-Header-AcceptLanguage: %S" wide ascii
$TS10 = "X-TS-Header-UserAgent: %S" wide ascii
// Hidden VNC identifiers
$VNC1 = "_hvnc_init@4" wide ascii
$VNC2 = "_hvnc_uninit@0" wide ascii
$VNC3 = "_hvnc_start@8" wide ascii
$VNC4 = "_hvnc_stop@0" wide ascii
$VNC5 = "_hvnc_wait@0" wide ascii
$VNC6 = "_hvnc_work@0" wide ascii
// Browsers identifiers
$WB1 = "nspr4.dll" wide ascii
$WB2 = "nss3.dll" wide ascii
$WB3 = "chrome.dll" wide ascii
$WB4 = "Internet Explorer" wide ascii
$WB5 = "Firefox" wide ascii
$WB6 = "Chrome" wide ascii
condition:
($MZ at 0 and $LKEY) and ( (5 of ($TS*) and all of ($WB*)) or (3 of ($VNC*) and all of ($WB*)))
and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb
// Remove the above line if you want to trig also on memory dumps, etc...
}This YARA rule can be deployed in the following contexts:
This rule contains 24 string patterns in its detection logic.
Scenario: Legitimate scheduled system cleanup task using CCleaner
Filter/Exclusion: Exclude processes where the executable path contains C:\Program Files\CCleaner\ccleaner.exe or similar known legitimate paths.
Scenario: Admin performing a Windows Update or Group Policy refresh
Filter/Exclusion: Exclude processes with the command line containing wuauclt.exe or gpupdate.exe, or where the parent process is services.exe or taskhost.exe.
Scenario: Running Microsoft Endpoint Detection and Response (EDR) or Microsoft Defender signature updates
Filter/Exclusion: Exclude processes where the executable path includes C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and the command line includes -Command "Update-MpSignature" or similar EDR-related commands.
Scenario: Executing a third-party backup tool like Veeam or Acronis
Filter/Exclusion: Exclude processes with the executable path containing C:\Program Files\Veeam\Backup\veeam.exe or similar paths for known backup tools.
Scenario: Running a custom script or job for log rotation or data archiving
Filter/Exclusion: Exclude processes where the command line includes logrotate.exe or rsync.exe and the parent process is a known system service or scheduled task.