Threat Group 3390 APT is using a custom C2 server to exfiltrate data and maintain persistent command and control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and disrupt advanced persistent threats before they cause significant damage.
YARA Rule
rule ThreatGroup3390_C2
{
meta:
description = "Threat Group 3390 APT - C2 Server"
author = "Florian Roth"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 60
strings:
$s1 = "api.apigmail.com"
$s2 = "apigmail.com"
$s3 = "backup.darkhero.org"
$s4 = "bel.updatawindows.com"
$s5 = "binary.update-onlines.org"
$s6 = "blackcmd.com"
$s7 = "castle.blackcmd.com"
$s8 = "ctcb.blackcmd.com"
$s9 = "darkhero.org"
$s10 = "dav.local-test.com"
$s11 = "test.local-test.com"
$s12 = "dev.local-test.com"
$s13 = "ocean.local-test.com"
$s14 = "ga.blackcmd.com"
$s15 = "helpdesk.blackcmd.com"
$s16 = "helpdesk.csc-na.com"
$s17 = "helpdesk.hotmail-onlines.com"
$s18 = "helpdesk.lnip.org"
$s19 = "hotmail-onlines.com"
$s20 = "jobs.hotmail-onlines.com"
$s21 = "justufogame.com"
$s22 = "lnip.org"
$s23 = "local-test.com"
$s24 = "login.hansoftupdate.com"
$s25 = "long.update-onlines.org"
$s26 = "longlong.update-onlines.org"
$s27 = "longshadow.dyndns.org"
$s28 = "longshadow.update-onlines.org"
$s29 = "longykcai.update-onlines.org"
$s30 = "lostself.update-onlines.org"
$s31 = "mac.navydocument.com"
$s32 = "mail.csc-na.com"
$s33 = "mantech.updatawindows.com"
$s34 = "micr0soft.org"
$s35 = "microsoft-outlook.org"
$s36 = "mtc.navydocument.com"
$s37 = "navydocument.com"
$s38 = "mtc.update-onlines.org"
$s39 = "news.hotmail-onlines.com"
$s40 = "oac.3322.org"
$s41 = "ocean.apigmail.com"
$s42 = "pchomeserver.com"
$s43 = "registre.organiccrap.com"
$s44 = "security.pomsys.org"
$s45 = "services.darkhero.org"
$s46 = "sgl.updatawindows.com"
$s47 = "shadow.update-onlines.org"
$s48 = "sonoco.blackcmd.com"
$s49 = "test.logmastre.com"
$s50 = "up.gtalklite.com"
$s51 = "updatawindows.com"
$s52 = "update-onlines.org"
$s53 = "update.deepsoftupdate.com"
$s54 = "update.hancominc.com"
$s55 = "update.micr0soft.org"
$s56 = "update.pchomeserver.com"
$s57 = "urs.blackcmd.com"
$s58 = "wang.darkhero.org"
$s59 = "webs.local-test.com"
$s60 = "word.apigmail.com"
$s61 = "wordpress.blackcmd.com"
$s62 = "working.blackcmd.com"
$s63 = "working.darkhero.org"
$s64 = "working.hotmail-onlines.com"
$s65 = "www.trendmicro-update.org"
$s66 = "www.update-onlines.org"
$s67 = "x.apigmail.com"
$s68 = "ykcai.update-onlines.org"
$s69 = "ykcailostself.dyndns-free.com"
$s70 = "ykcainobody.dyndns.org"
$s71 = "zj.blackcmd.com"
$s72 = "laxness-lab.com"
$s73 = "google-ana1ytics.com"
$s74 = "www.google-ana1ytics.com"
$s75 = "ftp.google-ana1ytics.com"
$s76 = "hotmailcontact.net"
$s77 = "208.115.242.36"
$s78 = "208.115.242.37"
$s79 = "208.115.242.38"
$s80 = "66.63.178.142"
$s81 = "72.11.148.220"
$s82 = "72.11.141.133"
$s83 = "74.63.195.236"
$s84 = "74.63.195.236"
$s85 = "74.63.195.237"
$s86 = "74.63.195.238"
$s87 = "103.24.0.142"
$s88 = "103.24.1.54"
$s89 = "106.187.45.162"
$s90 = "192.151.236.138"
$s91 = "192.161.61.19"
$s92 = "192.161.61.20"
$s93 = "192.161.61.22"
$s94 = "103.24.1.54"
$s95 = "67.215.232.179"
$s96 = "96.44.177.195"
$s97 = "49.143.192.221"
$s98 = "67.215.232.181"
$s99 = "67.215.232.182"
$s100 = "96.44.182.243"
$s101 = "96.44.182.245"
$s102 = "96.44.182.246"
$s103 = "49.143.205.30"
$s104 = "[email protected]"
$s105 = "[email protected]"
$s106 = "[email protected]"
$s107 = "[email protected]"
condition:
uint16(0) == 0x5a4d and 1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 107 string patterns in its detection logic.
Scenario: Legitimate scheduled job using Cobalt Strike Beacon
Description: A system administrator uses Cobalt Strike Beacon as part of a red team exercise or penetration test to simulate C2 activity.
Filter/Exclusion: process.name != "cobaltstrike.exe" OR process.parent.name != "task scheduler" OR user.name != "admin"
Scenario: Microsoft Defender ATP scheduled scan using PowerShell
Description: A scheduled PowerShell script runs as part of a regular system scan, using tools like Get-ChildItem or Invoke-Command to check for malicious files.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "msdtc.exe" OR command_line contains "Scan" or "Check"
Scenario: Admin using Mimikatz for credential dumping during incident response
Description: A security analyst uses Mimikatz to extract credentials from memory during an incident response investigation.
Filter/Exclusion: process.name != "mimikatz.exe" OR user.name != "security_admin" OR command_line contains "sekurlsa" or "dump"
Scenario: Legitimate C2 server used by internal development team
Description: A development team uses a private C2 server (e.g., custom-built or internal tool) for testing and internal communication.
Filter/Exclusion: ip.src != "10.0.0.0/8" OR process.name != "custom_c2_tool.exe" OR user.name != "dev_team"
Scenario: System update using PowerShell with scheduled task
Description: A scheduled task runs a PowerShell script to apply system updates, which may include downloading and executing scripts from a trusted internal repository.
Filter/Exclusion: `process.name != “powershell.exe