Tiny Bot used by attackers in Operation Cleaver

Hunt Hypothesis

The detection identifies potential command and control activity associated with the Tiny Bot used by attackers in Operation Cleaver, indicating possible ongoing malicious operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging this botnet infrastructure.

YARA Rule

rule OPCLEAVER_TinyZBot
{

    meta:
        description = "Tiny Bot used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "NetScp" wide
        $s2 = "TinyZBot.Properties.Resources.resources"
        $s3 = "Aoao WaterMark"
        $s4 = "Run_a_exe"
        $s5 = "netscp.exe"
        $s6 = "get_MainModule_WebReference_DefaultWS"
        $s7 = "remove_CheckFileMD5Completed"
        $s8 = "http://tempuri.org/"
        $s9 = "Zhoupin_Cleaver"

    condition:
        (($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using the Tiny Tiny RSS tool to manage news feeds.
  Filter/Exclusion: Check for process.name containing “tinytinyrss” or “tt-rss” to exclude legitimate usage.

• Scenario: A scheduled job runs a script that uses the Tiny Tiny RSS API to fetch updates.
  Filter/Exclusion: Filter by process.command_line containing “tt-rss” or “tinytinyrss” to differentiate from malicious activity.

• Scenario: An IT team member is using TinySSH for secure remote access to internal servers.
  Filter/Exclusion: Include process.name containing “tinyssh” or check for known internal IP ranges used by the IT team.

• Scenario: A developer is running a Tiny Bot as part of a CI/CD pipeline to automate testing.
  Filter/Exclusion: Filter by process.parent or process.command_line containing “ci”, “jenkins”, or “git” to identify legitimate automation.

• Scenario: A user is running a Tiny Bot to scrape data from a public website for internal reporting.
  Filter/Exclusion: Check for process.name containing “tinybot” or filter by destination.ip that matches known public websites.