The Corkow DLL files are indicative of potential adversary activity, as they are often used in malware deployment and persistence mechanisms. SOC teams should proactively hunt for these files in Azure Sentinel to identify and mitigate early-stage threats before they escalate.
YARA Rule
rule CorkowDLL
{
meta:
description = "Rule to detect the Corkow DLL files"
reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"
strings:
$mz = { 4d 5a }
$binary1 = {60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3}
$binary2 = {(FF75??|53)FF7510FF750CFF7508E8????????[3-9]C9C20C 00}
$export1 = "Control_RunDLL"
$export2 = "ServiceMain"
$export3 = "DllGetClassObject"
condition:
($mz at 0) and ($binary1 and $binary2) and any of ($export*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Legitimate system update or patching process
Description: A system update or patching process may include the Corkow DLL as part of a legitimate software update or service pack.
Filter/Exclusion: Check the file’s digital signature and compare its hash against known good hashes from trusted vendors (e.g., Microsoft, Adobe).
Scenario: Scheduled job running a legitimate diagnostic tool
Description: A scheduled job may execute a diagnostic or maintenance tool that includes the Corkow DLL as part of its operation (e.g., Microsoft System File Checker or third-party system diagnostics).
Filter/Exclusion: Filter by process name or parent process, such as sfc.exe or msdt.exe.
Scenario: Admin task using a legitimate third-party application
Description: An administrator may use a third-party application (e.g., VMware Tools, Citrix Receiver) that includes the Corkow DLL as part of its installation or runtime.
Filter/Exclusion: Exclude files located in known application directories (e.g., C:\Program Files\VMware\, C:\Program Files\Citrix\).
Scenario: Antivirus or endpoint protection software
Description: Some antivirus or endpoint protection software may include the Corkow DLL as part of its runtime or during a scan.
Filter/Exclusion: Filter by process name such as avgnt.exe, mcafee.exe, or bitdefender.exe.
Scenario: User-initiated software installation
Description: A user may install a legitimate software package (e.g., Adobe Acrobat Reader, Microsoft Office) that includes the Corkow DLL as part of its installation.
Filter/Exclusion: Exclude files created during user-initiated installations, or filter by user context (e.g., User instead of System).