Adupib SSL Backdoor

Hunt Hypothesis

The Adupib SSL Backdoor detection rule identifies potential adversary use of a compromised SSL/TLS certificate to exfiltrate data or establish covert communication channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate long-term persistence and data exfiltration tactics that may evade traditional detection methods.

YARA Rule

rule Trojan_Win32_Adupib 
{
    
    meta:
        author = "Microsoft"
        description = "Adupib SSL Backdoor"
        original_sample_sha1 = "d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd"
        unpacked_sample_sha1 = "a80051d5ae124fd9e5cc03e699dd91c2b373978b"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $str1 = "POLL_RATE"
        $str2 = "OP_TIME(end hour)"
        $str3 = "%d:TCP:*:Enabled"
        $str4 = "%s[PwFF_cfg%d]"
        $str5 = "Fake_GetDlgItemTextW: ***value***="

    condition:
        $str1 and $str2 and $str3 and $str4 and $str5
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate SSL/TLS Certificate Renewal via Let’s Encrypt
  Description: A system administrator is using certbot to renew SSL certificates for a website.
  Filter/Exclusion: Check for presence of certbot in the process name or command line, and filter by known certificate domains (e.g., example.com, *.example.com).

• Scenario: Scheduled System Maintenance Task Using OpenSSL
  Description: A scheduled job runs openssl to generate temporary keys for internal use during maintenance.
  Filter/Exclusion: Filter by process name openssl and check for presence of --temp or --key flags, and exclude known maintenance scripts or cron jobs.

• Scenario: Internal Tool for Secure Data Transfer
  Description: An internal tool named secure_transfer.sh uses openssl s_client to securely transfer data between internal servers.
  Filter/Exclusion: Filter by process name secure_transfer.sh and check for internal IP ranges or known internal hosts in the connection details.

• Scenario: Admin Task to Test SSL Configuration
  Description: A system admin is using openssl s_client -connect to test SSL configurations manually.
  Filter/Exclusion: Filter by command line containing s_client and check for presence of -connect with internal or test hostnames.

• Scenario: Automated Backup Using SCP with SSL Encryption
  Description: A backup script uses scp with -o CipherAlgorithm=aes128-ctr to securely transfer backups.
  Filter/Exclusion: Filter by process name scp and check for presence of -o CipherAlgorithm or -o KexAlgorithms flags indicating secure, legitimate encryption settings.