PassCV Malware mentioned in Cylance Report

Hunt Hypothesis

PassCV malware is likely being used by adversaries to execute arbitrary code and maintain persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise from advanced threats leveraging this malware.

YARA Rule

rule PassCV_Sabre_Malware_Signing_Cert 
{

   meta:
      description = "PassCV Malware mentioned in Cylance Report"
      author = "Florian Roth"
      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
      date = "2016-10-20"
      score = 50
      hash1 = "7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e"

   strings:
      $s1 = "WOODTALE TECHNOLOGY INC" ascii
      $s2 = "Flyingbird Technology Limited" ascii
      $s3 = "Neoact Co., Ltd." ascii
      $s4 = "AmazGame Age Internet Technology Co., Ltd" ascii
      $s5 = "EMG Technology Limited" ascii
      $s6 = "Zemi Interactive Co., Ltd" ascii
      $s7 = "337 Technology Limited" ascii
      $s8 = "Runewaker Entertainment0" fullword ascii

   condition:
      ( uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
• Source Rule

False Positive Guidance

• Scenario: A system administrator is running a scheduled job to update Cylance antivirus definitions.
  Filter/Exclusion: process.name != "CylanceAgent" or process.parent.name != "CylanceAgent"

• Scenario: A developer is using a legitimate tool like PowerShell to automate a configuration task that involves the string “PassCV” in a script.
  Filter/Exclusion: process.name != "powershell.exe" or script.content does not contain "PassCV" in benign context

• Scenario: A system administrator is manually checking system logs using a tool like LogParser or PowerShell and the term “PassCV” appears in the log content.
  Filter/Exclusion: process.name != "LogParser.exe" or process.name != "powershell.exe" or log.source != "eventlog"

• Scenario: A backup job is running using Veeam Backup & Replication and the backup script includes a comment or log message mentioning “PassCV” as a placeholder.
  Filter/Exclusion: process.name != "VeeamBackup.exe" or process.parent.name != "VeeamBackup.exe"

• Scenario: A security analyst is reviewing a threat intelligence report and manually notes “PassCV” as part of a malware family, triggering the rule.
  Filter/Exclusion: user.account != "security_analyst" or event.type != "manual_review" or event.source != "threat_intel_report"