Threat Group 3390 APT Sample - PlugX NvSmartMax Generic

Hunt Hypothesis

The hypothesis is that the detected sample is associated with Threat Group 3390’s PlugX NvSmartMax variant, which is used in advanced persistent threat campaigns for command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential APT activity before it leads to data exfiltration or system compromise.

YARA Rule

rule PlugX_NvSmartMax_Gen 
{

    meta:
        description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
        author = "Florian Roth"
        reference = "http://snip.ly/giNB"
        date = "2015-08-06"
        score = 70
        hash1 = "718fc72942b9b706488575c0296017971170463f6f40fa19b08fc84b79bf0cef"
        hash2 = "1c0379481d17fc80b3330f148f1b87ff613cfd2a6601d97920a0bcd808c718d0"
        hash3 = "555952aa5bcca4fa5ad5a7269fece99b1a04816d104ecd8aefabaa1435f65fa5"
        hash4 = "71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338"
        hash5 = "65bbf0bd8c6e1ccdb60cf646d7084e1452cb111d97d21d6e8117b1944f3dc71e"
    
    strings:
        $s0 = "NvSmartMax.dll" fullword ascii
        $s1 = "NvSmartMax.dll.url" fullword ascii
        $s2 = "Nv.exe" fullword ascii
        $s4 = "CryptProtectMemory failed" fullword ascii 
        $s5 = "CryptUnprotectMemory failed" fullword ascii 
        $s7 = "r%.*s(%d)%s" fullword wide
        $s8 = " %s CRC " fullword wide
        $op0 = { c6 05 26 49 42 00 01 eb 4a 8d 85 00 f8 ff ff 50 } /* Opcode */
        $op1 = { 8d 85 c8 fe ff ff 50 8d 45 c8 50 c6 45 47 00 e8 } /* Opcode */
        $op2 = { e8 e6 65 00 00 50 68 10 43 41 00 e8 56 84 00 00 } /* Opcode */
 
    condition:
        uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

References

• http://snip.ly/giNB
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update using Windows Update
  Filter/Exclusion: Check for ProcessName containing wuauclt.exe or svchost.exe with CommandLine including wuauclt.exe or Windows Update.

• Scenario: Scheduled backup job using Veeam Backup & Replication
  Filter/Exclusion: Filter by ProcessName containing veeambackup.exe or Veeam Backup & Replication in the ProcessDescription.

• Scenario: Admin task involving PowerShell scripting for log management
  Filter/Exclusion: Use ProcessName filter for powershell.exe and check for CommandLine containing log or eventlog in the command.

• Scenario: Antivirus signature update using Microsoft Defender ATP
  Filter/Exclusion: Filter by ProcessName containing MsMpEng.exe or Windows Defender in the ProcessDescription.

• Scenario: Network monitoring tool like Wireshark capturing traffic
  Filter/Exclusion: Use ProcessName filter for wireshark.exe or check for CommandLine containing capture or tcpdump.