Detects Industroyer related malware

Hunt Hypothesis

Industroyer-related malware may be present in the environment due to the detection of specific binary patterns associated with this advanced threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential industrial control system compromises before they cause widespread damage.

YARA Rule

rule Industroyer_Malware_1 {
   meta:
      description = "Detects Industroyer related malware"
      author = "Florian Roth"
      reference = "https://goo.gl/x81cSy"
      date = "2017-06-13"
      hash1 = "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910"
      hash2 = "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81"
   strings:
      $s1 = "haslo.exe" fullword ascii
      $s2 = "SYSTEM\\CurrentControlSet\\Services\\%ls" fullword wide
      $s3 = "SYS_BASCON.COM" fullword wide
      $s4 = "*.pcmt" fullword wide
      $s5 = "*.pcmi" fullword wide

      $x1 = { 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73
         00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61
         00 67 00 65 00 50 00 61 00 74 00 68 00 00 00 43
         00 3A 00 5C 00 00 00 44 00 3A 00 5C 00 00 00 45
         00 3A 00 5C 00 00 00 }
      $x2 = "haslo.dat\x00Crash"
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of ($x*) or 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• https://goo.gl/x81cSy
• Source Rule

False Positive Guidance

• Scenario: A legitimate scheduled job runs a script that matches the YARA rule due to similar string patterns.
  Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler tasks, especially those with known benign scripts or system maintenance tasks.

• Scenario: A system administrator uses a legitimate tool like Wireshark or tcpdump to capture network traffic, which inadvertently matches the YARA rule due to packet headers or payloads.
  Filter/Exclusion: Exclude processes running Wireshark.exe, tcpdump.exe, or any network analysis tools commonly used by security teams.

• Scenario: A backup or log management tool like Veeam Backup & Replication or Splunk generates files with similar string patterns to Industroyer malware.
  Filter/Exclusion: Exclude processes related to backup tools or log management systems, such as Veeam.exe, splunkd.exe, or logstash.exe.

• Scenario: A system update or patching tool like Windows Update or Chocolatey creates temporary files that match the YARA rule.
  Filter/Exclusion: Exclude processes associated with wuauclt.exe, Chocolatey.exe, or any known patching and update management tools.

• Scenario: A developer uses a legitimate code obfuscation tool like Dotfuscator or ProGuard to protect code, which may result in string patterns similar to Industroyer.
  Filter/Exclusion: Exclude processes running Dotfuscator.exe, proguard.jar, or any code obfuscation tools commonly used in development environments.