Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Zusy
Trojan:Win32/Zusy.HNB!MTB is a sophisticated Windows Trojan detected via machine learning behavioral analysis. It utilizes various built-in Windows utilities (LOLBINs) like PowerShell, mshta, regsvr32, and rundll32 for execution and persistence, alongside capabilities for API hooking, data encoding, remote file operations, and scheduled tasks, aiming for system control and potential data exfiltration.
Relevant strings associated with this threat: - /new/net_api (PEHSTR_EXT) - powershell -Command (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Trojan_Win32_Zusy_HNB_2147908515_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/Zusy.HNB!MTB"
threat_id = "2147908515"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "Zusy"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "Low"
strings:
$x_1_1 = {00 43 00 68 00 72 00 6f 00 6d 00 65 00 2f 00 31 00 32 00 31 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 20 00 53 00 61 00 66 00 61 00 72 00 69 00 2f 00 35 00 33 00 37 00 2e 00 33 00 36 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 [0-6] 2e 00 [0-6] 2e 00 [0-6] 2e 00 [0-6] 2f 00} //weight: 1, accuracy: Low
$x_1_2 = {00 25 00 74 00 65 00 6d 00 70 00 25 [0-5] 25 00 73 00 5c 00 25 00 64 00 25 00 64 00 2e 00 65 00 78 00 65 00 00 00 4d 00 6f 00 7a 00 69 00 6c 00 6c 00 61 00} //weight: 1, accuracy: Low
$x_1_3 = "23t43f4ft23f423t43f4ft23f423t43f" ascii //weight: 1
condition:
(filesize < 20MB) and
(1 of ($x*))
}1bdbb46e7a4722311e5baefa1eb48cfca30581f1ee597a84b5b43e67f2f2470b5b5e85f9aaddc637b944a78fe390c93d21fa4ffadd953dc7a9412b658d9b15f0Immediately isolate the affected system to prevent further spread. Perform a full system scan with updated antivirus/EDR, investigate for persistence mechanisms (e.g., scheduled tasks, registry entries, startup items), and patch any vulnerable software. Implement strong access controls and user education to prevent similar infections.