Adversaries associated with PLA Unit 78020 may use this malware to establish command-and-control channels or exfiltrate sensitive data from compromised systems. Proactively hunting for this behavior in Azure Sentinel helps identify potential long-term persistence and data theft activities by state-sponsored actors.
YARA Rule
rule Unit78020_Malware_Gen3
{
meta:
description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong"
author = "Florian Roth"
reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
date = "2015-09-24"
super_rule = 1
hash1 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac"
hash2 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
strings:
$x1 = "GET http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
$x2 = "POST http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
$x3 = "J:\\chong\\" ascii
$s1 = "User-Agent: Netscape" fullword ascii
$s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\User Shell Folders" fullword wide
$s4 = "J:\\chong\\nod\\Release\\SslMM.exe" fullword ascii
$s5 = "MM.exe" fullword ascii
$s6 = "network.proxy.ssl" fullword wide
$s7 = "PeekNamePipe" fullword ascii
$s8 = "Host: %ws:%d" fullword ascii
$s9 = "GET %dHTTP/1.1" fullword ascii
$s10 = "SCHANNEL.DLL" fullword ascii /* Goodware String - occured 6 times */
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) ) or 4 of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: Legitimate system update using a tool associated with the group
Description: A system administrator is performing a routine update using a tool that matches the signature of a tool associated with PLA Unit 78020.
Filter/Exclusion: process.name != "update_tool.exe" or process.parent_process.name == "task scheduler"
Scenario: Scheduled job for log rotation or backup
Description: A scheduled task is running a log rotation or backup script that uses a tool or command line that resembles malicious activity.
Filter/Exclusion: process.name == "logrotate.exe" or process.parent_process.name == "schtasks.exe"
Scenario: Admin using Mimikatz for credential harvesting during a security audit
Description: A security administrator is using Mimikatz to extract credentials as part of a security audit or incident response.
Filter/Exclusion: process.name == "mimikatz.exe" and user.account == "security_admin"
Scenario: Network monitoring tool using a known IP range
Description: A network monitoring tool is using a known IP range associated with PLA Unit 78020 for legitimate traffic analysis.
Filter/Exclusion: ip.src == "192.168.1.0/24" or process.name == "network_monitor.exe"
Scenario: False positive from a third-party software component
Description: A third-party software component (e.g., a database tool or cloud service) is triggering the rule due to a shared hash or string with malicious artifacts.
Filter/Exclusion: process.name == "third_party_tool.exe" or file.hash != "malicious_hash"