The Molerats_certs rule detects potential malware artifacts associated with the Molerat family by identifying suspicious certificate patterns that may indicate compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage malware activity and prevent lateral movement within the network.
YARA Rule
rule Molerats_certs
{
meta:
Author = "FireEye Labs"
Date = "2013/08/23"
Description = "this rule detections code signed with certificates used by the Molerats actor"
Reference = "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
strings:
$cert1 = { 06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75 }
$cert2 = { 03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28 }
$cert3 = { 0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d }
condition:
1 of ($cert*)
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Certificate renewal via Let’s Encrypt CLI
Description: An admin uses the certbot tool to renew SSL certificates, which may generate certificate-related artifacts that match the YARA rule.
Filter/Exclusion: Check for the presence of certbot in the process name or command line arguments.
Scenario: Scheduled job for certificate management
Description: A scheduled task (e.g., via Windows Task Scheduler or cron) runs a script to manage or rotate certificates, which may trigger the rule.
Filter/Exclusion: Filter out processes associated with known certificate management tools like openssl, certmgr, or certutil.
Scenario: Internal CA certificate generation
Description: An internal CA (e.g., using OpenSSL or Microsoft Certificate Services) generates new certificates for internal use, which may match the rule.
Filter/Exclusion: Exclude processes running under the Local System account or those associated with internal CA tools.
Scenario: Code signing certificate creation
Description: A developer uses signtool or osslsigncode to create a code signing certificate, which may trigger the rule due to similar certificate structures.
Filter/Exclusion: Filter out processes related to code signing tools or those executed by developers with known legitimate signing activities.
Scenario: Automated certificate export/import via PowerShell
Description: A PowerShell script exports or imports certificates using Export-Certificate or Import-Certificate cmdlets, which may generate certificate-related artifacts.
Filter/Exclusion: Exclude processes with powershell.exe in the command line and check for known administrative scripts or tools used for certificate management.