Detects a specific config file used by malware in RUAG APT case

Hunt Hypothesis

The presence of a specific configuration file associated with RUAG APT malware indicates potential adversary persistence and command-and-control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they exfiltrate data or escalate within the network.

YARA Rule

rule RUAG_Bot_Config_File 
{

  meta:
    description = "Detects a specific config file used by malware in RUAG APT case"
    author = "Florian Roth"
    reference = "https://goo.gl/N5MEj0"
    score = 60
  
  strings:
    $s1 = "[CONFIG]" ascii
    $s2 = "name = " ascii
    $s3 = "exe = cmd.exe" ascii
  
  condition:
    $s1 at 0 and $s2 and $s3 and filesize < 160 
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://goo.gl/N5MEj0
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job for system maintenance
  Description: A system administrator uses a scheduled task to run a maintenance script that temporarily creates a file with a name similar to the malicious config file.
  Filter/Exclusion: Exclude files created by scheduled tasks with known legitimate names or paths (e.g., C:\Windows\Temp\maintenance_config.json).

• Scenario: Configuration backup by IT admin
  Description: An IT administrator manually backs up configuration files as part of a routine backup process, which includes a file named similarly to the malicious config file.
  Filter/Exclusion: Exclude files with timestamps matching known backup windows or files located in backup directories (e.g., C:\Backup\config_backup_20250405.json).

• Scenario: Use of legitimate config file by a security tool
  Description: A security tool like CrowdStrike Falcon or Microsoft Defender ATP uses a configuration file with a similar name to the malicious one for policy settings.
  Filter/Exclusion: Exclude files located in known security tool directories (e.g., C:\Program Files\CrowdStrike\falcon\config.json) or files with known tool-specific extensions.

• Scenario: Admin task for log rotation or file cleanup
  Description: An admin uses a script or tool like LogParser or PowerShell to rotate or clean up log files, which may generate a config-like file temporarily.
  Filter/Exclusion: Exclude files with temporary or log-related extensions (e.g., .tmp, .log, .bak) or files created within a specific time window during log maintenance.

• Scenario: Use of a config file by a legitimate application
  Description: A legitimate application such as Docker or Kubernetes may use a configuration file with a similar name to the malicious