The Dexter Trojan is leveraging HTTP-based communication to exfiltrate data and establish command and control, indicating potential data theft and persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
YARA Rule
rule Dexter_Malware
{
meta:
description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b"
author = "Florian Roth"
reference = "http://goo.gl/oBvy8b"
date = "2015/02/10"
score = 70
strings:
$s0 = "Java Security Plugin" fullword wide
$s1 = "%s\\%s\\%s.exe" fullword wide
$s2 = "Sun Java Security Plugin" fullword wide
$s3 = "\\Internet Explorer\\iexplore.exe" fullword wide
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to remotely manage a server and inadvertently executes a script that matches the Dexter Trojan’s signature.
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes Invoke-Command or Enter-PSSession with known admin credentials.
Scenario: A scheduled job runs a legitimate script that uses curl or wget to download a file from a URL that matches the Dexter Trojan’s domain.
Filter/Exclusion: Exclude events where the process is schtasks.exe or task scheduler and the URL is associated with a known internal or trusted external repository.
Scenario: A security tool like OSSEC or Tripwire performs a system integrity check and generates a log entry that resembles Dexter’s network activity.
Filter/Exclusion: Exclude events where the process is ossec.exe or tripwire and the log entry is related to a known integrity check or baseline comparison.
Scenario: A backup tool such as Veeam or Commvault uploads data to a cloud storage service, which results in a network connection that matches Dexter’s C2 pattern.
Filter/Exclusion: Exclude events where the process is veeam.exe or commvault.exe and the destination IP is a known cloud storage provider’s IP range.
Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) task triggers a network connection to a server that is flagged by the rule due to similar traffic patterns.
Filter/Exclusion: Exclude events where the process is wuauclt.exe or mmclient.exe and the destination is a known Microsoft update server or endpoint management service.