Trojan Buzus / Softpulse

Hunt Hypothesis

The detection identifies potential command and control communication associated with the Trojan Buzus/Softpulse malware, indicating an adversary is exfiltrating data or maintaining persistent access. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging this malware in their Azure Sentinel environment.

YARA Rule

rule Win32_Buzus_Softpulse
{

    meta:
        description = "Trojan Buzus / Softpulse"
        author = "Florian Roth"
        date = "2015-05-13"
        hash = "2f6df200e63a86768471399a74180466d2e99ea9"
        score = 75

    strings:
        $x1 = "pi4izd6vp0.com" fullword ascii
        $s1 = "SELECT * FROM Win32_Process" fullword wide
        $s4 = "CurrentVersion\\Uninstall\\avast" fullword wide
        $s5 = "Find_RepeatProcess" fullword ascii
        $s6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\" fullword wide
        $s7 = "myapp.exe" fullword ascii
        $s14 = "/c ping -n 1 www.google" wide
    
    condition:
        uint16(0) == 0x5a4d and ( ( $x1 and 2 of ($s*) ) or all of ($s*) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that mimics the behavior of the Trojan Buzus / Softpulse, such as downloading or executing files.
  Filter/Exclusion: Exclude tasks associated with known system maintenance tools like Task Scheduler or Windows Update by checking the task name or command line arguments.

• Scenario: Admin Performing Remote Code Execution (RCE)
  Description: An administrator uses a legitimate remote management tool (e.g., PsExec, WinRM, or SSH) to execute commands on a remote system, which may trigger the detection logic.
  Filter/Exclusion: Exclude activity from known admin tools by checking the process name or the source IP address against a list of trusted admin IPs or tools.

• Scenario: Software Update or Patch Deployment
  Description: A patching tool like Microsoft Endpoint Configuration Manager (MECM) or Chocolatey downloads and executes payloads that resemble the behavior of the Trojan.
  Filter/Exclusion: Exclude activity related to software update tools by checking the process name or the file path against known update directories or tools.

• Scenario: Legitimate File Transfer via PowerShell
  Description: A system administrator uses PowerShell to transfer files between systems, which may be flagged as suspicious due to the use of Invoke-Command or Invoke-WebRequest.
  Filter/Exclusion: Exclude PowerShell scripts that are known to be part of legitimate file transfer or management tasks by checking the script path or the user context (e.g., Administrators group).

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A security tool like Windows Defender or Malwarebytes performs a scan that temporarily executes or downloads files, which may trigger the detection logic.
  Filter/Exclusion: Exclude activity from known security tools