The hypothesis is that the detection of the RUAG_Cobra_Malware YARA rule indicates the presence of a sophisticated adversary leveraging Carbon/Cobra malware to execute malicious payloads and establish persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could lead to data exfiltration or system compromise.
YARA Rule
rule RUAG_Cobra_Malware
{
meta:
description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
condition:
uint16(0) == 0x5a4d and $s1
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using Carbon Copy Cloner (a legitimate macOS backup tool) to create scheduled backups.
Filter/Exclusion: Check for the presence of the legitimate tool’s binary (cccl) in the process name or command line arguments.
Scenario: A scheduled system maintenance job runs a script that temporarily creates files matching the YARA signature due to similar naming or structure.
Filter/Exclusion: Filter out processes associated with system maintenance tasks (e.g., launchd, cron, or specific job names like system_cleanup.sh).
Scenario: A software development team is using Cobra (a Go-based tool for building CLI applications) to develop a new tool.
Filter/Exclusion: Exclude processes related to the development environment (e.g., go build, cobra CLI, or user accounts associated with the development team).
Scenario: A Windows Update or patching task temporarily creates files with names similar to the malware due to temporary file naming conventions.
Filter/Exclusion: Exclude processes related to Windows Update (wuauclt.exe) or patching tools, and filter by file creation timestamps near scheduled update windows.
Scenario: A log management tool like ELK Stack or Splunk is processing logs and generating temporary files that match the YARA signature.
Filter/Exclusion: Filter out processes related to log management tools (e.g., splunkd, logstash, or kibana) and check for file paths in log directories.