Detects Industroyer related malware

Hunt Hypothesis

Industroyer-related malware may be present in the environment through suspicious process creation or network activity indicative of its command and control communication. SOC teams should proactively hunt for this behavior to identify and mitigate potential industrial control system compromises early.

YARA Rule

rule Industroyer_Malware_5 {
   meta:
      description = "Detects Industroyer related malware"
      author = "Florian Roth"
      reference = "https://goo.gl/x81cSy"
      date = "2017-06-13"
      hash1 = "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad"
   strings:
      $x1 = "D2MultiCommService.exe" fullword ascii
      $x2 = "Crash104.dll" fullword ascii
      $x3 = "iec104.log" fullword ascii
      $x4 = "IEC-104 client: ip=%s; port=%s; ASDU=%u " fullword ascii

      $s1 = "Error while getaddrinfo executing: %d" fullword ascii
      $s2 = "return info-Remote command" fullword ascii
      $s3 = "Error killing process ..." fullword ascii
      $s4 = "stop_comm_service_name" fullword ascii
      $s5 = "*1* Data exchange: Send: %d (%s)" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and ( 1 of ($x*) or 4 of them ) ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• https://goo.gl/x81cSy
• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance using schtasks.exe
  Filter/Exclusion: Check for schtasks.exe with command line containing /create and TriggerType=ONLOGON or TriggerType=ONSTART
  Example Filter: process.exe == "schtasks.exe" and command_line contains "/create" and command_line contains "TriggerType=ONLOGON"

• Scenario: Admin task to configure IIS using iisreset.exe
  Filter/Exclusion: Filter out iisreset.exe processes with command_line containing /stop or /start
  Example Filter: process.exe == "iisreset.exe" and command_line contains "/stop" or command_line contains "/start"

• Scenario: Legitimate use of reg.exe to modify registry settings during patching
  Filter/Exclusion: Exclude reg.exe processes where the command line includes HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU
  Example Filter: process.exe == "reg.exe" and command_line contains "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"

• Scenario: Backup job using wbadmin.exe to perform system image backup
  Filter/Exclusion: Filter out wbadmin.exe processes with command line containing /startSystemImageBackup or /backup
  Example Filter: process.exe == "wbadmin.exe" and command_line contains "/startSystemImageBackup" or command command_line contains “/backup”`

• Scenario: PowerShell script execution for routine system monitoring using powershell.exe
  Filter/Exclusion: Exclude powershell.exe processes where the script path contains known monitoring tools like perfmon.ps1 or system_health.ps1
  Example Filter: