The hypothesis is that the detection identifies potential FA malware variant activity associated with the Symantec Waterbug attack, which may indicate adversary persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to more severe breaches.
YARA Rule
rule WaterBug_fa_malware
{
meta:
description = "Symantec Waterbug Attack - FA malware variant"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
$string2 = "d:\\proj\\cn\\fa64\\"
$string3 = "sengoku_Win32.sys\x00"
$string4 = "rk_ntsystem.c"
$string5 = "\\uroboros\\"
$string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
condition:
($mz at 0) and (any of ($string*))
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Scheduled system cleanup using Symantec Endpoint Protection (SEP)
Filter/Exclusion: process.name != "sep.exe" or process.parent.name != "sep.exe"
Scenario: Windows Task Scheduler job running a legitimate system maintenance script
Filter/Exclusion: process.name != "schtasks.exe" or process.args != "/create /xml"
Scenario: Microsoft System Center Configuration Manager (SCCM) performing software deployment
Filter/Exclusion: process.name != "ccmexec.exe" or process.parent.name != "ccmexec.exe"
Scenario: Windows Update service triggering a background update process
Filter/Exclusion: process.name != "wuauserv.exe" or process.parent.name != "svchost.exe"
Scenario: Microsoft Defender Antivirus performing a full system scan
Filter/Exclusion: process.name != "MsMpEng.exe" or process.parent.name != "svchost.exe"