The hypothesis is that the detection of a hardcoded DH modulus from the Loki2 sourcecode indicates potential use of outdated or weak cryptographic practices, which may be exploited by adversaries to compromise encrypted communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify legacy systems or compromised environments that may lack modern cryptographic protections.
YARA Rule
rule loki2crypto {
meta:
author = "Costin Raiu, Kaspersky Lab"
date = "2017-03-21"
version = "1.0"
description = "Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
hash = "19fbd8cbfb12482e8020a887d6427315"
hash = "ea06b213d5924de65407e8931b1e4326"
hash = "14ecd5e6fc8e501037b54ca263896a11"
hash = "e079ec947d3d4dacb21e993b760a65dc"
hash = "edf900cebb70c6d1fcab0234062bfc28"
strings:
$modulus={DA E1 01 CD D8 C9 70 AF C2 E4 F2 7A 41 8B 43 39 52 9B 4B 4D E5 85 F8 49}
condition:
(any of them)
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Development Environment Code Check
Description: A developer is using a static code analysis tool like SonarQube or Clang-Tidy to scan code for security issues, and the hardcoded DH modulus is flagged as part of a legacy code snippet.
Filter/Exclusion: Exclude files or directories that are known to be part of legacy or development-only code, e.g., exclusions: /dev_env/* or use a custom rule in the static analysis tool to ignore this specific pattern.
Scenario: Scheduled Job for Codebase Audit
Description: A scheduled job runs a grep or ack command to search for legacy code patterns across the codebase, including the hardcoded DH modulus.
Filter/Exclusion: Add a filter to the script to ignore known legacy files or directories, such as grep -v '/legacy/' or use a blacklist of file paths in the search command.
Scenario: Admin Task for System Hardening
Description: An admin is manually reviewing system configuration files or source code for outdated cryptographic practices, and the hardcoded DH modulus is found in a configuration file or source code.
Filter/Exclusion: Exclude files that are known to be part of system configuration or documentation, such as exclusions: /etc/ssh_config, /docs/, or use a file type filter to ignore non-source files.
Scenario: CI/CD Pipeline Artifact Inspection
Description: During a CI/CD pipeline run, a CI/CD tool like Jenkins or GitHub Actions is scanning build artifacts or source code for security issues, and the hardcoded DH modulus is detected in a build script or source file.
Filter/Exclusion: Exclude build directories or files that are known to be temporary or part of the build process