Symantec Waterbug Attack - Trojan Turla Dropper

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential execution of a Turla-related dropper associated with the Symantec Waterbug attack, which could indicate initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity before it leads to deeper network infiltration.

YARA Rule

rule WaterBug_turla_dropper 
{

    meta:
        description = "Symantec Waterbug Attack - Trojan Turla Dropper"
        author = "Symantec Security Response"
        date = "22.01.2015"
        reference = "http://t.co/rF35OaAXrl"

    strings: 
        $a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
        $b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}

    condition: 
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://t.co/rF35OaAXrl
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe is running a maintenance script that includes a file named waterbug.exe (common in enterprise environments for custom scripts).
  Filter/Exclusion: Check the command line arguments and file path. Exclude tasks with schtasks.exe where the file path contains C:\Windows\System32\ or C:\Windows\SysWOW64\.

• Scenario: Admin Tool Execution
  Description: An administrator is using Process Explorer or Procmon (Sysinternals tools) to debug or monitor a process named waterbug.exe that is part of a legitimate application.
  Filter/Exclusion: Exclude processes launched from C:\Sysinternals\ or C:\Program Files (x86)\Sysinternals\.

• Scenario: Antivirus Quarantine Process
  Description: Symantec Endpoint Protection is quarantining a file named waterbug.exe as part of its malware cleanup process.
  Filter/Exclusion: Exclude processes where the parent process is Symantec Endpoint Protection or where the file path contains Quarantine\.

• Scenario: Custom Script Execution
  Description: A system administrator is running a custom PowerShell script named waterbug.ps1 that is used for log analysis or system health checks.
  Filter/Exclusion: Exclude PowerShell scripts executed from C:\Scripts\ or where the script name contains waterbug but the parent process is powershell.exe with a known admin tool path.

• Scenario: Software Deployment Tool
  Description: A deployment tool like PDQ Deploy or Microsoft Endpoint Configuration Manager is deploying a package that includes a file named waterbug.exe as part of a legitimate application update