Sednit / EVILTOSS Implant by APT28

Hunt Hypothesis

The detection identifies potential deployment of the Sednit / EVILTOSS implant by APT28, indicating adversary presence within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging this sophisticated malware in their Azure Sentinel environment.

YARA Rule

rule IMPLANT_6_v3 {
   meta:
      description = "Sednit / EVILTOSS Implant by APT28"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $deob_func = { 8D 46 01 02 D1 83 E0 07 8A 04 38 F6 EA 8B D6 83 E2 07 0A
         04 3A 33 D2 8A 54 37 FE 03 D3 03 D1 D3 EA 32 C2 8D 56 FF 83 E2 07 8A
         1C 3A 8A 14 2E 32 C3 32 D0 41 88 14 2E 46 83 FE 0A 7C ?? }
   condition:
      (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
      uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
• Source Rule

False Positive Guidance

• Scenario: A system administrator uses PowerShell to automate the deployment of a legitimate software update.
  Filter/Exclusion: Check for ProcessName containing powershell.exe and CommandLine containing -File or -Command with known update scripts.

• Scenario: A scheduled job runs Task Scheduler to perform routine system maintenance, such as disk cleanup or log rotation.
  Filter/Exclusion: Filter by ProcessName containing schtasks.exe and exclude tasks with known maintenance scripts or paths in the System32 directory.

• Scenario: A security analyst uses Wireshark to capture and analyze network traffic for forensic analysis.
  Filter/Exclusion: Check for ProcessName containing wireshark.exe or tshark.exe and exclude traffic from known internal analysis tools or specific IP ranges used for analysis.

• Scenario: An IT admin uses Powershell to configure group policy settings or deploy software via Group Policy Object (GPO).
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and CommandLine containing gpupdate or gpo related commands.

• Scenario: A developer uses Visual Studio or MSBuild to compile and deploy code to a development server.
  Filter/Exclusion: Check for ProcessName containing devenv.exe, msbuild.exe, or dotnet.exe and exclude paths related to development environments or known build scripts.