PassCV Malware mentioned in Cylance Report

Hunt Hypothesis

PassCV malware is likely being used by adversaries to execute arbitrary code and maintain persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced threats leveraging this malware.

YARA Rule

rule PassCV_Sabre_Malware_Excalibur_1
{

   meta:
      description = "PassCV Malware mentioned in Cylance Report"
      author = "Florian Roth"
      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
      date = "2016-10-20"
      hash1 = "21566f5ff7d46cc9256dae8bc7e4c57f2b9261f95f6ad2ac921558582ea50dfb"
      hash2 = "02922c5d994e81629d650be2a00507ec5ca221a501fe3827b5ed03b4d9f4fb70"

   strings:
      $x1 = "F:\\Excalibur\\Excalibur\\" ascii
      $x2 = "Excalibur\\bin\\Shell.pdb" ascii
      $x3 = "SaberSvc.exe" wide
      $s1 = "BBB.exe" fullword wide
      $s2 = "AAA.exe" fullword wide
   
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of ($x*) or all of ($s*) ) or 3 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
• Source Rule

False Positive Guidance

• Scenario: A system administrator is running a scheduled job to update the Cylance endpoint protection software, which includes scanning for known malware signatures, including PassCV.
  Filter/Exclusion: Exclude processes associated with the Cylance agent or scheduled tasks related to Cylance updates (e.g., CylanceAgent.exe, CylanceUpdateService.exe).

• Scenario: A developer is using a static code analysis tool like SonarQube or Checkmarx to scan code for security vulnerabilities, and the tool mistakenly flags a benign string that resembles the PassCV malware signature.
  Filter/Exclusion: Exclude processes related to static analysis tools (e.g., sonar-scanner.exe, checkmarx.exe) or filter based on the source code repository path.

• Scenario: A database administrator is executing a SQL script that contains a string matching the PassCV malware signature, such as a placeholder or test data.
  Filter/Exclusion: Exclude processes running from known database administration tools (e.g., sqlcmd.exe, mysql.exe) or filter based on the source IP or user account.

• Scenario: A system is running a legitimate security tool like CrowdStrike Falcon or Microsoft Defender ATP, which includes a database of known malware signatures, including PassCV, during a routine scan.
  Filter/Exclusion: Exclude processes associated with security tools (e.g., falcon.exe, MsDefender.exe) or filter based on the process name or parent process.

• Scenario: A user is manually testing a malware analysis sandbox environment, and the environment includes a file or process that matches the PassCV signature as part of a controlled test.
  Filter/Exclusion: Exclude processes running in a sandboxed environment (e.g., sandbox.exe, vmtoolsd.exe) or filter based on the presence of sandboxing