The hypothesis is that an adversary is using a Flash-based exploit to deploy a Trojan Downloader, leveraging outdated or unpatched Flash plugins to gain initial access to the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from exploit-based malware that may evade traditional detection methods.
YARA Rule
rule TrojanDownloader {
meta:
description = "Trojan Downloader - Flash Exploit Feb15"
author = "Florian Roth"
reference = "http://goo.gl/wJ8V1I"
date = "2015/02/11"
hash = "5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e"
score = 60
strings:
$x1 = "Hello World!" fullword ascii
$x2 = "CONIN$" fullword ascii
$s6 = "GetCommandLineA" fullword ascii
$s7 = "ExitProcess" fullword ascii
$s8 = "CreateFileA" fullword ascii
$s5 = "SetConsoleMode" fullword ascii
$s9 = "TerminateProcess" fullword ascii
$s10 = "GetCurrentProcess" fullword ascii
$s11 = "UnhandledExceptionFilter" fullword ascii
$s3 = "user32.dll" fullword ascii
$s16 = "GetEnvironmentStrings" fullword ascii
$s2 = "GetLastActivePopup" fullword ascii
$s17 = "GetFileType" fullword ascii
$s19 = "HeapCreate" fullword ascii
$s20 = "VirtualFree" fullword ascii
$s21 = "WriteFile" fullword ascii
$s22 = "GetOEMCP" fullword ascii
$s23 = "VirtualAlloc" fullword ascii
$s24 = "GetProcAddress" fullword ascii
$s26 = "FlushFileBuffers" fullword ascii
$s27 = "SetStdHandle" fullword ascii
$s28 = "KERNEL32.dll" fullword ascii
condition:
$x1 and $x2 and ( all of ($s*) ) and filesize < 35000
}This YARA rule can be deployed in the following contexts:
This rule contains 22 string patterns in its detection logic.
Scenario: Scheduled Flash-based Reporting Job
Description: A legitimate scheduled job runs a Flash-based reporting tool that generates PDFs or exports data.
Filter/Exclusion: process.name != "flashplayer.exe" OR process.parent.name == "schtasks.exe" OR file.hash != "known_flash_reporting_tool_hash"
Scenario: Admin Uses Flash for Legacy Web Application
Description: An administrator accesses a legacy internal web application that requires Flash for functionality (e.g., old CRM or ERP system).
Filter/Exclusion: process.parent.name == "explorer.exe" AND process.name == "iexplore.exe" AND file.path contains "internal-legacy-app"
Scenario: Flash-based Training Module Execution
Description: A Flash-based training module is launched by an internal LMS (Learning Management System) for employee onboarding.
Filter/Exclusion: process.name contains "training-module" OR file.path contains "internal-training-lms"
Scenario: Flash Plugin Used for Embedded Video Playback
Description: A company uses Flash to embed internal training videos on an internal portal.
Filter/Exclusion: process.name == "chrome.exe" AND file.path contains "internal-training-portal" OR process.parent.name == "iexplore.exe"
Scenario: Flash Used for Legacy Data Migration Tool
Description: A legacy data migration tool uses Flash for user interface and data rendering during an internal migration.
Filter/Exclusion: file.name contains "migration-tool" OR process.parent.name == "task scheduler" OR file.hash != "known_migration_tool_hash"