Equation Group Malware - GROK keylogger

Hunt Hypothesis

The GROK keylogger, associated with the Equation Group, is likely capturing sensitive user input data through stealthy, persistent execution in the Azure environment. SOC teams should proactively hunt for this behavior to identify potential long-term data exfiltration and advanced persistent threat activity.

YARA Rule

rule Equation_Kaspersky_GROK_Keylogger
{

    meta:
        description = "Equation Group Malware - GROK keylogger"
        author = "Florian Roth"
        reference = "http://goo.gl/ivt8EW"
        date = "2015/02/16"
        hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"

    strings:
        $mz = { 4d 5a }
        $s0 = "c:\\users\\rmgree5\\" ascii
        $s1 = "msrtdv.sys" fullword wide
        $x1 = "svrg.pdb" fullword ascii
        $x2 = "W32pServiceTable" fullword ascii
        $x3 = "In forma" fullword ascii
        $x4 = "ReleaseF" fullword ascii
        $x5 = "criptor" fullword ascii
        $x6 = "astMutex" fullword ascii
        $x7 = "ARASATAU" fullword ascii
        $x8 = "R0omp4ar" fullword ascii
        $z1 = "H.text" fullword ascii
        $z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
        $z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword

    condition:
        ( $mz at 0 ) and filesize < 250000 and ($s0 or ( $s1 and 6 of ($x*) ) or ( 6 of ($x*) and all of ($z*) ))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 14 string patterns in its detection logic.

References

• http://goo.gl/ivt8EW
• Source Rule

False Positive Guidance

• Scenario: System Maintenance Task Using wbemtest
  Description: A system administrator uses wbemtest to troubleshoot Windows Management Instrumentation (WMI) issues.
  Filter/Exclusion: Exclude processes initiated by wbemtest or check for known legitimate WMI diagnostic tools.

• Scenario: Scheduled Job for Log Collection Using logman
  Description: A scheduled task runs logman to collect system logs for compliance or monitoring purposes.
  Filter/Exclusion: Exclude processes with logman as the parent process or filter by known log collection tools.

• Scenario: Admin Task Using reg.exe to Modify Registry Settings
  Description: An administrator uses reg.exe to configure registry keys for application settings or policy changes.
  Filter/Exclusion: Exclude processes where the user is a domain admin or where the registry path is known to be used by legitimate tools.

• Scenario: PowerShell Script for System Monitoring
  Description: A PowerShell script runs under powershell.exe to monitor system performance or collect metrics.
  Filter/Exclusion: Exclude processes with a known legitimate script path or check for script signing and authorship.

• Scenario: Antivirus or EDR Tool Performing File Scanning
  Description: An endpoint protection tool like Bitdefender or CrowdStrike runs a scan and interacts with system files.
  Filter/Exclusion: Exclude processes associated with known EDR or antivirus vendors or check for process parentage to these tools.