Detects malware from OilRig Campaign

Hunt Hypothesis

Adversaries from the OilRig campaign may use custom malware to establish persistence and exfiltrate data, leveraging low-severity indicators to avoid detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromise and data theft.

YARA Rule

rule OilRig_Malware_Campaign_Gen2 
{

   meta:
      description = "Detects malware from OilRig Campaign"
      author = "Florian Roth"
      reference = "https://goo.gl/QMRZ8K"
      date = "2016-10-12"
      hash1 = "c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d"
      hash2 = "293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb"

   strings:
      $s1 = "%userprofile%\\AppData\\Local\\Microsoft\\ " fullword ascii
      $s2 = "$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('" fullword ascii
      $s3 = "&{$rn = Get-Random; $id = 'TR" fullword ascii
      $s4 = "') -replace '__',('DNS'+$id) | " fullword ascii
      $s5 = "\\upd.vbs" fullword ascii
      $s6 = "schtasks /create /F /sc minute /mo " fullword ascii
      $s7 = "') -replace '__',('HTP'+$id) | " fullword ascii
      $s8 = "&{$rn = Get-Random -minimum 1 -maximum 10000; $id = 'AZ" fullword ascii
      $s9 = "http://www.israirairlines.com/?mode=page&page=14635&lang=eng<" fullword ascii

   condition:
      ( uint16(0) == 0xcfd0 and filesize < 4000KB and 2 of ($s*) ) or ( 4 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 14 string patterns in its detection logic.

References

• https://goo.gl/QMRZ8K
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job for system maintenance using schtasks.exe
  Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.command_line contains " /create"

• Scenario: Admin using PowerShell.exe to run a script for log analysis
  Filter/Exclusion: process.parent_process_name != "WindowsPowerShell.exe" or process.command_line contains "Get-EventLog"

• Scenario: System update using msiexec.exe to install a legitimate patch
  Filter/Exclusion: process.command_line contains " /i " or " /update"

• Scenario: Database backup using sqlcmd.exe with scheduled task
  Filter/Exclusion: process.parent_process_name != "sqlcmd.exe" or process.command_line contains " -Q "backup database"

• Scenario: Security tool scan using Process Explorer.exe or Procmon.exe
  Filter/Exclusion: process.parent_process_name contains "Process Explorer.exe" or process.parent_process_name contains "Procmon.exe"