The OrcaRAT detection rule identifies potential command and control communication associated with the OrcaRAT malware, which may indicate an adversary establishing persistent remote access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to early-stage compromise attempts by advanced persistent threats.
YARA Rule
rule OrcaRAT
{
meta:
Author = "PwC Cyber Threat Operations"
Date = "2014/10/20"
Description = "Strings inside"
Reference = "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html"
strings:
$MZ = "MZ"
$apptype1 = "application/x-ms-application"
$apptype2 = "application/x-ms-xbap"
$apptype3 = "application/vnd.ms-xpsdocument"
$apptype4 = "application/xaml+xml"
$apptype5 = "application/x-shockwave-flash"
$apptype6 = "image/pjpeg"
$err1 = "Set return time error = %d!"
$err2 = "Set return time success!"
$err3 = "Quit success!"
condition:
$MZ at 0 and filesize < 500KB and (all of ($apptype*) and 1 of ($err*))
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Scheduled system cleanup using CCleaner
Filter/Exclusion: process.name != "ccleaner.exe"
Scenario: Administrative task using PowerShell to update system drivers
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%UpdateDriver%'
Scenario: Legitimate use of Windows Task Scheduler to run maintenance scripts
Filter/Exclusion: process.name != "schtasks.exe" OR process.args NOT LIKE '/create'
Scenario: Network discovery tool like Nmap scanning internal network segments
Filter/Exclusion: process.name != "nmap.exe" OR process.args NOT LIKE '/sn'
Scenario: System backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "veeam.exe" OR process.args NOT LIKE '/backup'