Detects malware by Chinese APT PLA Unit 78020 - Generic Rule

Hunt Hypothesis

Adversaries associated with Chinese APT PLA Unit 78020 may use generic malware tactics that lack specific indicators, making them difficult to detect through traditional means. Proactively hunting for these behaviors in Azure Sentinel helps identify potential advanced persistent threats before they cause significant damage.

YARA Rule

rule Unit78020_Malware_Gen2 
{

    meta:
        description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule"
        author = "Florian Roth"
        reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
        date = "2015-09-24"
        super_rule = 1
        hash1 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd"
        hash2 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
        hash3 = "981e2fa1ae4145359036b46e8b53cc5da37dd2311204859761bd91572f025e8a"
  
   strings:
        $s0 = "-GetModuleFileNameExW" fullword ascii
        $s1 = "\\MSN Talk Start.lnk" fullword wide
        $s2 = ":SeDebugPrivilege" fullword wide
        $s3 = "WinMM Version 1.0" fullword wide
        $s4 = "dwError1 = %d" fullword ascii
        $s5 = "*Can't Get" fullword wide
   
    condition:
        uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• http://threatconnect.com/camerashy/?utm_campaign=CameraShy
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update via Windows Update
  Description: A Windows Update process may trigger the rule due to the presence of known artifacts associated with Unit 78020.
  Filter/Exclusion: Check for ProcessName = "wuauclt.exe" or ProcessName = "svchost.exe" with CommandLine containing Windows Update or wuau.

• Scenario: Scheduled backup job using Veeam Backup & Replication
  Description: Veeam may execute processes that resemble malicious behavior, such as file encryption or data exfiltration, which could trigger the rule.
  Filter/Exclusion: Filter by ProcessName = "vmbackup.exe" or ProcessName = "Veeam.Backup.Runner.exe" with ParentProcessName = "taskeng.exe".

• Scenario: Admin task using PowerShell for log cleanup
  Description: A PowerShell script run by an administrator to clean up event logs may contain commands that resemble malicious activity, such as Get-EventLog or Clear-EventLog.
  Filter/Exclusion: Filter by ProcessName = "powershell.exe" with CommandLine containing log cleanup or Clear-EventLog and User = "Administrators".

• Scenario: Antivirus scan using Microsoft Defender
  Description: Microsoft Defender may perform deep scans that temporarily access system files, which could be flagged by the rule.
  Filter/Exclusion: Filter by ProcessName = "MsMpEng.exe" or ProcessName = "Windows Defender Antivirus Service" with CommandLine containing Scan or FullScan.

• Scenario: Legitimate file encryption for compliance using Veracrypt
  Description: Veracrypt may encrypt files as part of a compliance or data protection task, which could be mistaken for