Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component

Hunt Hypothesis

The detection identifies potential lateral movement or data exfiltration behavior associated with the Symantec Waterbug attack, leveraging the Trojan.Wipbot 2014 Down.dll component. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate legacy threat actors using outdated malware components that may still persist in modern environments.

YARA Rule

rule WaterBug_wipbot_2013_dll 
{

    meta:
        description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
        author = "Symantec Security Response"
        date = "22.01.2015"
        reference = "http://t.co/rF35OaAXrl"        
  
    strings:
        $string1 = "/%s?rank=%s"
        $string2 = "ModuleStart\x00ModuleStop\x00start"
        $string3 = "1156fd22-3443-4344-c4ffff"
        //read file... error..
        $string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
  
    condition:
        2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://t.co/rF35OaAXrl
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task Using Down.dll
  Description: A legitimate system maintenance task (e.g., schtasks.exe) may use the Down.dll file as part of a scheduled job for system updates or patching.
  Filter/Exclusion: Check the command line arguments of the process to ensure it’s related to a known system maintenance task (e.g., schtasks /run or wuauclt.exe). Exclude processes with schtasks.exe or wuauclt.exe that are associated with Windows Update or system maintenance.

• Scenario: Antivirus or Endpoint Protection Software Using Down.dll
  Description: Some security software (e.g., Symantec Endpoint Protection, McAfee, or Kaspersky) may use the Down.dll file as part of their malware detection or analysis processes.
  Filter/Exclusion: Exclude processes that belong to known endpoint protection vendors (e.g., MPSSVC.EXE, MPCONFIG.EXE, or KAVService.exe) or have a parent process from a trusted security vendor.

• Scenario: PowerShell Script Downloading a Legitimate DLL
  Description: A PowerShell script (e.g., powershell.exe) may download or execute a legitimate DLL (including Down.dll) from a trusted internal repository or CDN.
  Filter/Exclusion: Filter processes where the parent process is powershell.exe and the command line includes a known internal repository URL or a trusted download source.

• Scenario: Microsoft Office or Adobe Software Using Down.dll
  Description: Some enterprise software (e.g., Microsoft Office or Adobe Acrobat) may use the Down.dll file as part of their internal components or plugins.
  Filter/Exclusion: Exclude processes that are part of known Microsoft or Adobe applications (e.g., `EXCEL.EX