Adversaries may use leftover garbage data from PDF exploits to stage the Wipbot dropper, indicating potential multi-stage malware deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from the Symantec Waterbug attack.
YARA Rule
rule WaterBug_wipbot_2013_core
{
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
$code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
$code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
condition:
$mz at 0 and (($code1 or $code2) or ($code3 and $code4))
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Legitimate PDF file cleanup after a failed exploit attempt
Filter/Exclusion: process.name != "AdobeRd32.exe" OR file.name != "AdobeRd32.exe"
Description: A PDF file may be left behind during an attempted exploit, and the system may run AdobeRd32.exe to clean it up. This is a common behavior in some enterprise environments when handling corrupted or incomplete PDFs.
Scenario: Scheduled system cleanup task using Symantec Endpoint Protection (SEP)
Filter/Exclusion: process.name != "sep.exe" OR process.parent.name != "taskeng.exe"
Description: SEP may perform scheduled cleanup tasks that include scanning and removing temporary or malicious files. These tasks are legitimate and should not be flagged as part of a Waterbug attack.
Scenario: Admin task to remove leftover files from a failed software installation
Filter/Exclusion: process.name != "cmd.exe" OR file.name != "wipbot.exe"
Description: An administrator may manually remove leftover files from a failed installation, including files that resemble malware. This is a common practice and should not be flagged.
Scenario: Legitimate use of Adobe Reader to open a PDF with embedded malicious content (false positive)
Filter/Exclusion: file.name != "AdobeReader.exe" OR process.parent.name != "explorer.exe"
Description: In some cases, a PDF with embedded malicious content may be opened by Adobe Reader, leading to false positives. This can occur when the file is not properly sanitized or when the PDF is part of a legitimate document.
Scenario: Automated log file rotation or cleanup process using a script
Filter/Exclusion: process.name != "powershell.exe" OR file.name != "logrotate.ps1"
Description: