Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family Zegost
This threat is a backdoor from the Zegost malware family, providing an attacker with remote control over the compromised system. Technical indicators suggest it can spread to other machines, capture screenshots or keystrokes, and perform low-level disk operations, posing a significant risk of data theft and further network compromise.
Relevant strings associated with this threat: - svp7. (PEHSTR_EXT) - %s\admin$\hackshen.exe (PEHSTR_EXT) - [Print Screen] (PEHSTR_EXT) - \\.\PHYSICALDRIVE0 (PEHSTR_EXT)
rule Backdoor_MSIL_Zegost_GG_2147782760_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:MSIL/Zegost.GG!MTB"
threat_id = "2147782760"
type = "Backdoor"
platform = "MSIL: .NET intermediate language scripts"
family = "Zegost"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "28"
strings_accuracy = "High"
strings:
$x_10_1 = "svp7." ascii //weight: 10
$x_10_2 = "%s\\admin$\\hackshen.exe" ascii //weight: 10
$x_1_3 = "VMware" ascii //weight: 1
$x_1_4 = "[CLEAR]" ascii //weight: 1
$x_1_5 = "[Print Screen]" ascii //weight: 1
$x_1_6 = "angel" ascii //weight: 1
$x_1_7 = "xpuser" ascii //weight: 1
$x_1_8 = "McAfee" ascii //weight: 1
$x_1_9 = "BitDefender" ascii //weight: 1
$x_1_10 = "password" ascii //weight: 1
$x_1_11 = "\\\\.\\PHYSICALDRIVE0" ascii //weight: 1
$x_1_12 = "SeDebugPrivilege" ascii //weight: 1
condition:
(filesize < 20MB) and
(
((2 of ($x_10_*) and 8 of ($x_1_*))) or
(all of ($x*))
)
}243cd136b5aa42c20c048a1fccb215749c482519488f46b05130f5f7dc33583dImmediately isolate the affected host from the network to prevent lateral movement. Perform a full antivirus scan to remove the threat, then investigate for persistence mechanisms and signs of data exfiltration. Reset all user credentials that were used on the compromised machine.