PassCV Malware mentioned in Cylance Report

Hunt Hypothesis

PassCV malware is likely being used by adversaries to execute arbitrary code and maintain persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats.

YARA Rule

rule PassCV_Sabre_Malware_5 
{

   meta:
      description = "PassCV Malware mentioned in Cylance Report"
      author = "Florian Roth"
      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
      date = "2016-10-20"
      hash1 = "03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5"
  
   strings:
      $x1 = "ncircTMPg" fullword ascii
      $x2 = "~SHELL#" fullword ascii
      $x3 = "N.adobe.xm" fullword ascii
      $s1 = "NEL32.DLL" fullword ascii
      $s2 = "BitLocker.exe" fullword wide
      $s3 = "|xtplhd" fullword ascii /* reversed goodware string 'dhlptx|' */
      $s4 = "SERVICECORE" fullword wide
      $s5 = "SHARECONTROL" fullword wide
   
   condition:
      ( uint16(0) == 0x5a4d and filesize < 4000KB and 1 of ($x*) or all of ($s*) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
• Source Rule

False Positive Guidance

• Scenario: A system administrator is running a scheduled job to update the Cylance endpoint protection software using the cyUpdate tool.
  Filter/Exclusion: Exclude processes associated with cyUpdate or any process with Cylance in the command line or process name.

• Scenario: An IT admin is manually checking system logs using the logman utility to troubleshoot a legitimate service issue.
  Filter/Exclusion: Exclude processes initiated by logman or any process with logman in the command line.

• Scenario: A backup job is executed using Veeam Backup & Replication to archive sensitive data, which inadvertently triggers the rule due to a false positive.
  Filter/Exclusion: Exclude processes related to Veeam or any process with Veeam in the command line or process name.

• Scenario: A system update is being performed via Windows Update or WSUS, which may include components flagged by the detection rule.
  Filter/Exclusion: Exclude processes with wuau or wsus in the process name or command line.

• Scenario: A security analyst is using the Process Explorer tool from Sysinternals to investigate a suspicious process, which may trigger the rule due to its association with Cylance.
  Filter/Exclusion: Exclude processes with Process Explorer or procexp in the command line or process name.