The Dipsind variant is likely being used by adversaries to establish persistence and exfiltrate data through compromised Azure resources. SOC teams should proactively hunt for this behavior to identify and mitigate potential long-term access and data theft in their Azure Sentinel environment.
YARA Rule
rule Trojan_Win32_Placisc2
{
meta:
author = "Microsoft"
description = "Dipsind variant"
original_sample_sha1 = "bf944eb70a382bd77ee5b47548ea9a4969de0527"
unpacked_sample_sha1 = "d807648ddecc4572c7b04405f496d25700e0be6e"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016-04-12"
strings:
$str1 = {76 16 8B D0 83 E2 07 8A 4C 14 24 8A 14 18 32 D1 88 14 18 40 3B C7 72 EA }
$str2 = "VPLRXZHTU"
$str3 = "%d) Command:%s"
$str4 = {0D 0A 2D 2D 2D 2D 2D 09 2D 2D 2D 2D 2D 2D 0D 0A}
condition:
$str1 and $str2 and $str3 and $str4
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude events where the process name matches veeambackup.exe or VeeamBackup.exe and the command line includes --backup or --schedule.
Scenario: Windows Update installation via Group Policy
Filter/Exclusion: Exclude events where the process name is wuauclt.exe and the command line includes --detectnow or --background.
Scenario: Database maintenance task using SQL Server Agent
Filter/Exclusion: Exclude events where the process name is sqlservr.exe and the command line includes SQLAgent -m or SQLAgent -p.
Scenario: Log file rotation using Logrotate on Linux
Filter/Exclusion: Exclude events where the process name is logrotate and the command line includes /etc/logrotate.conf or /etc/logrotate.d/.
Scenario: Antivirus scan initiated by Windows Defender
Filter/Exclusion: Exclude events where the process name is MsMpEng.exe and the command line includes Scan or FullScan.