The hypothesis is that the detection rule identifies potential backdoors used by the Naikon APT to establish persistent access and exfiltrate data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage APT activity and prevent lateral movement and data loss.
YARA Rule
rule Backdoor_Naikon_APT_Sample1 {
meta:
description = "Detects backdoors related to the Naikon APT"
author = "Florian Roth"
reference = "https://goo.gl/7vHyvh"
date = "2015-05-14"
hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba"
hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96"
strings:
$x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
$x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
$x2 = "greensky27.vicp.net" fullword ascii
$x3 = "\\tempvxd.vxd.dll" fullword wide
$x4 = "otna.vicp.net" fullword ascii
$x5 = "smithking19.gicp.net" fullword ascii
$s1 = "User-Agent: webclient" fullword ascii
$s2 = "\\User.ini" fullword ascii
$s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii
$s4 = "\\UserProfile.dll" fullword wide
$s5 = "Connection:Keep-Alive: %d" fullword ascii
$s6 = "Referer: http://%s:%d/" fullword ascii
$s7 = "%s %s %s %d %d %d " fullword ascii
$s8 = "%s--%s" fullword wide
$s9 = "Run File Success!" fullword wide
$s10 = "DRIVE_REMOTE" fullword wide
$s11 = "ProxyEnable" fullword wide
$s12 = "\\cmd.exe" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
(
1 of ($x*) or 7 of ($s*)
)
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Legitimate scheduled system maintenance task
Description: A system maintenance script (e.g., schtasks.exe) is running a legitimate cleanup job that uses a file name or string matching the Naikon APT YARA rule.
Filter/Exclusion: Check for ProcessName == "schtasks.exe" and CommandLine contains " /create" or " /run", or filter by known maintenance task names (e.g., TaskName == "SystemMaintenance").
Scenario: Admin using PowerShell for remote management
Description: An administrator is using PowerShell (e.g., powershell.exe) to remotely manage a system, and the script includes a string that matches the Naikon APT YARA rule.
Filter/Exclusion: Filter by ProcessName == "powershell.exe" and check for User == "Administrator" or CommandLine contains " -Command" with known admin scripts.
Scenario: Email gateway processing legitimate attachments
Description: The email gateway (e.g., Microsoft Exchange Online, Symantec Email Security) is scanning a legitimate attachment (e.g., a .zip file) that contains a file matching the Naikon APT YARA rule.
Filter/Exclusion: Filter by EmailClient == "Microsoft.Exchange" or EmailAction == "Quarantined", and check for AttachmentType == "ZIP" or Sender in TrustedDomains.
Scenario: File share backup job using a known tool
Description: A backup job (e.g., wbadmin.exe, vssadmin.exe) is running and the backup file contains a string that matches the Naikon APT YARA rule.
Filter/Exclusion: Filter by ProcessName == "wbadmin.exe" or ProcessName == "vssadmin.exe", and check for `