Strings used by Glasses

Hunt Hypothesis

The detection rule identifies potential adversary activity by monitoring for suspicious strings associated with the “Glasses” malware, which may indicate initial compromise or command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to early-stage threats that could evade traditional detection methods.

YARA Rule

rule GlassesStrings : Glasses Family
{
    meta:
        description = "Strings used by Glasses"
        author = "Seth Hardy"
        last_modified = "2021-11-18"
        reference_file = "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33"
        reference_url = "https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/"
        
    strings:
        $ = "thequickbrownfxjmpsvalzydg"
        $ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)"
        $ = "\" target=\"NewRef\"></a>"
 
    condition:
        all of them

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled Maintenance Task Using “Glasses” in Script
  Description: A system maintenance script, such as cron job or Windows Task Scheduler, uses the term “Glasses” in a script name or log message for internal tracking.
  Filter/Exclusion: Exclude processes or logs where the string “Glasses” appears in script names or in the context of scheduled maintenance tasks (e.g., script_name LIKE '%Glasses%' AND process_name NOT LIKE '%scheduler%').

• Scenario: Admin Task for User “Glasses”
  Description: An administrator is performing a user management task for a user named “Glasses” (e.g., password reset, account lockout, or group membership change).
  Filter/Exclusion: Exclude events where the username “Glasses” is involved in administrative actions (e.g., username = 'Glasses' AND event_type != 'login').

• Scenario: Log File Rotation Using “Glasses” in Filename
  Description: A log rotation tool (e.g., logrotate, rsyslog, or logrotate.conf) generates log files with names containing “Glasses” as part of a naming convention.
  Filter/Exclusion: Exclude log files where the filename includes “Glasses” and the process is related to log rotation (e.g., process_name LIKE '%logrotate%' OR process_name LIKE '%rsyslog%').

• Scenario: Database Backup Script Named “Glasses_Backup.sh”
  Description: A database backup script named “Glasses_Backup.sh” is executed as part of a regular backup process.
  Filter/Exclusion: Exclude processes where the script name contains “Glasses” and the execution is part of a known backup process (e.g., `script_name LIKE ‘%Glasses_Backup.sh%’ AND command_line LIKE