Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF

Hunt Hypothesis

The hypothesis is that the detection identifies potential reconnaissance activity associated with the Symantec Waterbug attack, where an adversary may be using a legacy PDF-based trojan to establish initial access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence and data exfiltration risks from outdated malware.

YARA Rule

rule WaterBug_wipbot_2013_core_PDF 
{

    meta:
        description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
        author = "Symantec Security Response"
        date = "22.01.2015"
        reference = "http://t.co/rF35OaAXrl"
 
    strings:
        $PDF = "%PDF-"
        $a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/ 
        $b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
 
    condition:
        ($PDF at 0) and #a > 150 and #b > 200
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://t.co/rF35OaAXrl
• Source Rule

False Positive Guidance

• Scenario: Legitimate PDF Generation via Adobe Acrobat
  Description: A user or automated process generates PDF files using Adobe Acrobat or Adobe Distiller, which may trigger the rule due to the presence of PDF-related processes.
  Filter/Exclusion: process.name != "AcroRd32.exe" OR process.name != "Distiller.exe"

• Scenario: Scheduled System Maintenance Job Using PDF Tools
  Description: A scheduled task runs a script or tool (e.g., PDFtk, pdftk, or Ghostscript) to convert or manipulate PDF files as part of a system maintenance routine.
  Filter/Exclusion: process.name != "pdftk" AND process.name != "gswin32c.exe"

• Scenario: Admin Task Involving PDF Export from a Business Application
  Description: An administrator exports reports or data from a business application (e.g., Microsoft Excel, SAP, or Oracle Reports) to PDF format, which may be flagged by the rule.
  Filter/Exclusion: process.name != "Excel.exe" AND process.name != "SAPGUI.exe"

• Scenario: PDF Conversion via Ghostscript for Printing
  Description: Ghostscript is used to convert PostScript files to PDF for printing or archiving, which may trigger the rule due to the presence of PDF processing.
  Filter/Exclusion: process.name != "gswin32c.exe" AND process.name != "gsdll32.dll"

• Scenario: PDF Viewer or Reader Activity
  Description: A user opens or views PDF files using a legitimate PDF viewer (e.g., Adobe Reader, Foxit Reader, or SumatraPDF), which may be misidentified as malicious activity.
  Filter/Exclusion: `process.name != “AcroRd32.exe” AND process.name != ”