sphinx moth threat group file cudacrt.dll

Hunt Hypothesis

The detection identifies potential adversary activity associated with the Sphinx Moth threat group, specifically the use of the cudacrt.dll file, which may indicate malicious code execution or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats from advanced persistent threats leveraging compromised or malicious libraries.

YARA Rule

rule Sphinx_Moth_cudacrt 
{ 

    meta:
        description = "sphinx moth threat group file cudacrt.dll" 
        author = "Kudelski Security - Nagravision SA"
        reference = "www.kudelskisecurity.com"
        date = "2015-08-06"

    strings:
        $s0 = "HPSSOEx.dll" fullword wide
        $s1 = "255.255.255.254" fullword wide
        $s2 = "SOFTWARE\\SsoAuth\\Service" fullword wide
        $op0 = { ff 15 5f de 00 00 48 8b f8 48 85 c0 75 0d 48 8b } /* Opcode */ 
        $op1 = { 45 33 c9 4c 8d 05 a7 07 00 00 33 d2 33 c9 ff 15 } /* Opcode */ 
        $op2 = { e8 7a 1c 00 00 83 f8 01 74 17 b9 03 } /* Opcode */

    condition:
        uint16(0) == 0x5a4d and filesize < 243KB and all of ($s*) and 1 of ($op*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• www.kudelskisecurity.com
• Source Rule

False Positive Guidance

• Scenario: Legitimate GPU Driver Update via Windows Update
  Description: The cudacrt.dll file is a component of NVIDIA CUDA runtime, which is often included in GPU driver updates. Windows Update may deploy this file as part of a legitimate system update.
  Filter/Exclusion: Check the file’s integrity using the FileVersionInfo or DigitalSignature to ensure it is signed by NVIDIA and matches known good versions.

• Scenario: Scheduled System Maintenance Task
  Description: A scheduled task (e.g., Task Scheduler job) may be configured to run maintenance scripts that temporarily use cudacrt.dll for GPU-related operations, such as rendering or data processing.
  Filter/Exclusion: Filter by the process name or parent process, such as svchost.exe or taskhostw.exe, and check the task’s origin in the Task Scheduler.

• Scenario: Admin Task Using CUDA for Data Processing
  Description: A system administrator may use tools like NVIDIA Data Center GPU Hypervisor (DCGM) or CUDA-aware MPI (Message Passing Interface) for cluster management or scientific computing tasks.
  Filter/Exclusion: Filter by the process name (e.g., dcgmi.exe, mpiexec.exe) and check the user context (e.g., admin account) and associated job scripts.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Some endpoint security tools, such as Microsoft Defender ATP or CrowdStrike Falcon, may use CUDA-based components for threat detection or sandboxing.
  Filter/Exclusion: Check the process parent or command line for known security tool names, and verify the file’s location (e.g., in the antivirus quarantine or system directory).

• Scenario: Development Environment with CUDA Tools
  Description: Developers may use **CUDA Toolkit