The hypothesis is that the detection identifies a potential APT actor using a HTTP-based browser RAT dropper associated with Threat Group 3390, which is commonly used for initial compromise and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT activity before it leads to deeper network infiltration.
YARA Rule
rule HttpBrowser_RAT_dropper_Gen2
{
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
author = "Florian Roth"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 70
hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
hash2 = "dfa984174268a9f364d856fd47cfaca75804640f849624d69d81fcaca2b57166"
strings:
$s1 = "navlu.dll.urlUT" fullword ascii
$s2 = "VPDN_LU.exeUT" fullword ascii
$s3 = "pnipcn.dllUT" fullword ascii
$s4 = "\\ssonsvr.exe" fullword ascii
$s5 = "/c del /q %s" fullword ascii
$s6 = "\\setup.exe" fullword ascii
$s7 = "msi.dllUT" fullword ascii
$op0 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */
$op1 = { e8 dd 07 00 00 ff 35 d8 fb 40 00 8b 35 7c a0 40 } /* Opcode */
$op2 = { 83 fb 08 75 2c 8b 0d f8 af 40 00 89 4d dc 8b 0d } /* Opcode */
$op3 = { c7 43 18 8c 69 40 00 e9 da 01 00 00 83 7d f0 00 } /* Opcode */
$op4 = { 6a 01 e9 7c f8 ff ff bf 1a 40 00 96 1b 40 00 01 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*)
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Legitimate Scheduled Job Execution
Description: A scheduled job (e.g., Task Scheduler or cron job) runs a script that contains obfuscated PowerShell or CMD commands, which may trigger the detection due to similar string patterns.
Filter/Exclusion: Check for CommandLine containing known legitimate job names or paths (e.g., C:\Windows\System32\TaskSchd.exe, C:\Windows\System32\taskhost.exe) or use ProcessName to exclude known job execution hosts.
Scenario: Admin Performing System Cleanup via PowerShell
Description: An administrator uses PowerShell to clean up temporary files or registry entries, and the script includes base64 or encoded strings that resemble malicious payloads.
Filter/Exclusion: Filter by ProcessName to exclude powershell.exe when executed by a known admin account (e.g., NT AUTHORITY\SYSTEM), or check for CommandLine containing cleanup-related keywords like Cleanup-System, Remove-Item, or Clear-Item.
Scenario: Deployment of a Legitimate Browser Extension
Description: A legitimate browser extension (e.g., uBlock Origin, AdGuard) is being installed or updated, and the installer or update script contains obfuscated code that matches the YARA rule.
Filter/Exclusion: Use ProcessName to exclude known browser installers (e.g., chrome_installer.exe, adguard_installer.exe) or check for CommandLine containing known extension names or update URLs.
Scenario: Internal Tool for Browser Automation
Description: A company-developed internal tool (e.g., Browser Automation Tool, WebTestRunner) is used to automate browser interactions, and the tool’s binary or script contains code that matches the YARA rule.
Filter/Exclusion: