TidePool malware is being executed in the environment, leveraging suspicious process creation and network communication patterns associated with the Ke3chang report. SOC teams should proactively hunt for this behavior to identify and mitigate potential advanced persistent threats leveraging compromised Azure environments.
YARA Rule
rule TidePool_Malware
{
meta:
description = "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks"
author = "Florian Roth"
reference = "http://goo.gl/m2CXWR"
date = "2016-05-24"
hash1 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"
hash2 = "67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed"
hash3 = "2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18"
hash4 = "38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f"
hash5 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"
strings:
$x1 = "Content-Disposition: form-data; name=\"m1.jpg\"" fullword ascii
$x2 = "C:\\PROGRA~2\\IEHelper\\mshtml.dll" fullword wide
$x3 = "C:\\DOCUME~1\\ALLUSE~1\\IEHelper\\mshtml.dll" fullword wide
$x4 = "IEComDll.dat" fullword ascii
$s1 = "Content-Type: multipart/form-data; boundary=----=_Part_%x" fullword wide
$s2 = "C:\\Windows\\System32\\rundll32.exe" fullword wide
$s3 = "network.proxy.socks_port\", " fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) ) ) or ( 4 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses tidepool in its name, such as tidepool_cleanup.bat, as part of a routine system maintenance process.
Filter/Exclusion: Check for the presence of tidepool in the task name and exclude tasks that are known to be part of standard maintenance or cleanup routines (e.g., tidepool_cleanup, tidepool_backup).
Scenario: Admin User Running a Script for Log Analysis
Description: An admin user is executing a script named tidepool_analyze_logs.sh to parse and analyze system logs using a tool like logrotate or grep.
Filter/Exclusion: Filter events where the user is a known admin and the script is located in a standard admin directory (e.g., /opt/admin/scripts/), or exclude processes initiated by users with admin privileges.
Scenario: Automated Backup Job Using a Tool Like Veeam
Description: A backup job initiated by Veeam or another backup tool uses a temporary script or command that includes the word tidepool in its command line arguments.
Filter/Exclusion: Exclude processes that are part of backup workflows, such as those initiated by Veeam, or filter based on command-line arguments that match known backup-related patterns.
Scenario: Development Environment Testing
Description: A developer is testing a tool or script that uses tidepool as part of a test environment, such as a mock API or a test harness.
Filter/Exclusion: Exclude processes running in development environments (e.g., directories like /var/dev/, or users with development roles), or filter based on the presence of test-related keywords in the command line.
**Scenario: Log Rotation or Monitoring Tool Using Tide