PassCV Malware mentioned in Cylance Report

Hunt Hypothesis

PassCV malware is likely being used by adversaries to execute arbitrary code and maintain persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced threats that leverage this malware.

YARA Rule

rule PassCV_Sabre_Malware_2 
{

   meta:
      description = "PassCV Malware mentioned in Cylance Report"
      author = "Florian Roth"
      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
      date = "2016-10-20"
      hash1 = "475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4"
      hash2 = "009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78"
      hash3 = "92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b"
      hash4 = "0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2"

   strings:
      $x1 = "ncProxyXll" fullword ascii
      $s1 = "Uniscribe.dll" fullword ascii
      $s2 = "WS2_32.dll" ascii
      $s3 = "ProxyDll" fullword ascii
      $s4 = "JDNSAPI.dll" fullword ascii
      $s5 = "x64.dat" fullword ascii
      $s6 = "LSpyb2" fullword ascii

   condition:
      ( uint16(0) == 0x5a4d and filesize < 4000KB and $x1 ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
• Source Rule

False Positive Guidance

• Scenario: A system administrator is running a scheduled job to update the Cylance endpoint protection software, which includes scanning for known malware signatures, including PassCV.
  Filter/Exclusion: process.name != "CylanceAgent" OR process.parent.name != "CylanceAgent"

• Scenario: A security analyst is manually reviewing a suspicious file using a sandboxed environment, and the file is identified as containing PassCV malware by the sandbox’s threat intelligence feed.
  Filter/Exclusion: process.name != "sandbox" OR process.parent.name != "sandbox"

• Scenario: A backup job is executing and the backup software is scanning files for integrity checks, which includes scanning for known malicious patterns, including PassCV.
  Filter/Exclusion: process.name != "backuptool" OR process.parent.name != "backuptool"

• Scenario: An IT admin is performing a system cleanup and uses a third-party tool like Malwarebytes or Bitdefender to scan for malware, which may flag PassCV as a known threat.
  Filter/Exclusion: process.name != "Malwarebytes" OR process.name != "Bitdefender"

• Scenario: A developer is using a static analysis tool like SonarQube or Checkmarx to analyze code for security vulnerabilities, and the tool mistakenly flags a legitimate file containing the string “PassCV” as malicious.
  Filter/Exclusion: process.name != "SonarQube" OR process.name != "Checkmarx"