Adversaries may use a hexed copy of Citadel malware disguised as nss3.dll to exploit Firefox versions greater than 23.0, leveraging the browser’s capabilities for persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware execution and mitigate advanced threat activity before it causes significant damage.
YARA Rule
rule Citadel_Malware
{
meta:
author = "[email protected]"
date = "2015-10-08"
description = "Search for nss3.dll pattern indicating an hexed copy of Citadel malware to work on firefox > v23.0"
// May only the challenge guide you
strings:
$s1 = "Coded by BRIAN KREBS for personal use only. I love my job & wife" wide ascii
$s2 = "nss3.dll" wide ascii
$h1 = {8B C7 EB F5 55 8B EC}
$h2 = {55 8B EC 83 EC 0C 8A 82 00 01 00 00}
$h3 = {3D D0 FF 1F 03 77 ?? 83 7D}
$h4 = {83 F9 66 74 ?? 83 F9 6E 74 ?? 83 F9 76 74 ?? 83 F9 7A}
condition:
all of ($s*) and 2 of ($h*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Legitimate software update or patch deployment using Microsoft Update or WSUS that includes nss3.dll as part of a security update for Firefox or another browser.
Filter/Exclusion: Check for the presence of Microsoft or WSUS in the process or file metadata, or filter by file paths containing WindowsUpdate or SoftwareDistribution.
Scenario: Scheduled system cleanup or disk defragmentation task using Disk Cleanup or Defragment and Optimize Drives that temporarily accesses nss3.dll in system directories.
Filter/Exclusion: Exclude processes associated with cleanmgr.exe or dfrg.msc, or filter by file paths containing System32 or Temp.
Scenario: Security software or endpoint protection tool (e.g., Microsoft Defender, Kaspersky, or Bitdefender) performing a scan or quarantine operation that interacts with nss3.dll during analysis.
Filter/Exclusion: Filter by process names such as MsMpEng.exe, KavService.exe, or Bitdefender.exe, or check for known security tool file paths.
Scenario: Administrative task involving Group Policy Management Console (GPMC) or PowerShell scripting that modifies system settings and may reference nss3.dll in the process.
Filter/Exclusion: Exclude processes associated with gpmc.msc, gpedit.msc, or PowerShell scripts with known administrative tasks, or filter by user context (e.g., SYSTEM or Administrators).
Scenario: Development or testing environment where Firefox is used with a custom build or extension that includes nss3.dll for compatibility or testing purposes.
Filter/Exclusion: Filter by file paths containing DevTools, Testing, or `