Detects a config text file used by malware Cobra in RUAG case

Hunt Hypothesis

The hypothesis is that the detected config text file is used by the Cobra malware to establish persistence and execute malicious payloads within the RUAG case. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ransomware attacks before they cause widespread damage.

YARA Rule

rule RUAG_Cobra_Config_File 
{

  meta:
    description = "Detects a config text file used by malware Cobra in RUAG case"
    author = "Florian Roth"
    reference = "https://goo.gl/N5MEj0"
    score = 60

  strings:
    $h1 = "[NAME]" ascii
    $s1 = "object_id=" ascii
    $s2 = "[TIME]" ascii fullword
    $s3 = "lastconnect" ascii 
    $s4 = "[CW_LOCAL]" ascii fullword
    $s5 = "system_pipe" ascii
    $s6 = "user_pipe" ascii
    $s7 = "[TRANSPORT]" ascii
    $s8 = "run_task_system" ascii
    $s9 = "[WORKDATA]" ascii 
    $s10 = "address1" ascii
  
  condition:
    $h1 at 0 and 8 of ($s*) and filesize < 5KB
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

References

• https://goo.gl/N5MEj0
• Source Rule

False Positive Guidance

• Scenario: A system administrator is manually editing the Cobra configuration file for legitimate system tuning.
  Filter/Exclusion: Exclude files edited by known admin tools like Notepad++, vim, or nano with user accounts in the Administrators group.

• Scenario: A scheduled job runs a script that generates a temporary config file for Cobra as part of a legitimate automation process.
  Filter/Exclusion: Exclude files created by scheduled tasks with the Task Scheduler service or by scripts from known enterprise tools like PowerShell or Ansible.

• Scenario: A developer is testing a configuration file for a legitimate application that uses Cobra as part of its internal tooling.
  Filter/Exclusion: Exclude files with a .cfg or .conf extension created by development tools like Visual Studio, IntelliJ, or Eclipse.

• Scenario: A backup process restores a configuration file that was previously used by Cobra in a test environment.
  Filter/Exclusion: Exclude files restored by backup tools like Veeam, Commvault, or Veritas NetBackup with timestamps matching known backup windows.

• Scenario: A security tool or SIEM configuration is generating a config file for Cobra as part of a legitimate monitoring setup.
  Filter/Exclusion: Exclude files created by security tools like Splunk, ELK Stack, or Microsoft Sentinel with known configuration patterns.