IMuler Identifying Strings

Hunt Hypothesis

Adversaries may use custom strings to exfiltrate data or communicate covertly, which could indicate the presence of a multi-stage attack. SOC teams should proactively hunt for these strings in Azure Sentinel to identify potential command and control activity or data exfiltration attempts early.

YARA Rule

rule IMulerStrings : IMuler Family
{
    meta:
        description = "IMuler Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-16"
        
    strings:
        $ = "/cgi-mac/"
        $ = "xnocz1"
        $ = "checkvir.plist"
        $ = "/Users/apple/Documents/mac back"
        $ = "iMuler2"
        $ = "/Users/imac/Desktop/macback/"
        $ = "xntaskz.gz"
        $ = "2wmsetstatus.cgi"
        $ = "launch-0rp.dat"
        $ = "2wmupload.cgi"
        $ = "xntmpz"
        $ = "2wmrecvdata.cgi"
        $ = "xnorz6"
        $ = "2wmdelfile.cgi"
        $ = "/LanchAgents/checkvir"
        $ = "0PERA:%s"
        $ = "/tmp/Spotlight"
        $ = "/tmp/launch-ICS000"
        
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a new application, and the script contains the string “Identifying Strings” as part of a log message or comment.
  Filter/Exclusion: Exclude events where the source process is powershell.exe and the event description contains “deployment” or “script”.

• Scenario: A scheduled job runs nightly to generate reports using a tool like SQL Server Reporting Services (SSRS), and the report generation process includes the string “Identifying Strings” in its output.
  Filter/Exclusion: Exclude events where the event source is “SSRS” or the process name is ReportingServicesService.exe.

• Scenario: A log management tool like Splunk is configured to parse logs and includes the phrase “Identifying Strings” as part of its log parsing configuration.
  Filter/Exclusion: Exclude events where the source is “Splunk” or the process name is splunkd.exe.

• Scenario: A configuration management tool such as Ansible is used to deploy configurations, and the playbook includes a comment or log message containing “Identifying Strings”.
  Filter/Exclusion: Exclude events where the process name is ansible or the event message contains “playbook” or “configuration”.

• Scenario: A backup tool like Veeam generates logs that include the string “Identifying Strings” during the backup process.
  Filter/Exclusion: Exclude events where the process name is veeam.exe or the event message contains “backup” or “snapshot”.