As the threat landscape continues to evolve, the need for precise and effective detection mechanisms becomes paramount. This article sheds light on the creation of a Sigma Rule tailored to identify the PowerExchange malware, a sophisticated backdoor known for its covert communication methods and elusive behaviors. By dissecting the unique traits of PowerExchange and distilling them into a comprehensive Sigma rule, we empower security professionals with a potent tool to counter this emerging cyber menace.

PowerExchange Malware: Behavior Breakdown

PowerExchange infection chain (FortiGuard Labs)

Before we dive into crafting an effective Sigma rule for detecting the PowerExchange malware, let’s thoroughly examine its operational behavior. Understanding its tactics for communication, evasion, and malicious actions is crucial in designing targeted detection mechanisms. The following behavior breakdown sheds light on the intricacies of PowerExchange’s approach, enabling us to create a rule that efficiently identifies its presence and activities within a network environment.

1. Communication and C2:
   • PowerExchange uses the Exchange Web Services (EWS) API for communication.
   • It sends stolen information and receives base64-encoded commands.
   • Communication occurs via emails with text attachments.
   • The emails have the subject “Update Microsoft Edge.”
2. C2 Blending:
   • PowerExchange employs the victim’s Exchange server for C2.
   • This approach makes the malware appear as benign traffic.
   • Network-based detection and remediation are evaded.
3. Capabilities:
   • The malware acts as a backdoor.
   • Operators can execute commands on compromised servers.
   • Additional malicious payloads can be delivered.
   • Exfiltration of harvested files is possible.
4. Additional Backdoors:
   • Researchers found other malicious implants during the investigation.
   • ExchangeLeech web shell was discovered as an example.
   • ExchangeLeech is disguised as a legitimate IIS file (System.Web.ServiceAuthentication.dll).
5. ExchangeLeech Functionality:
   • ExchangeLeech collects usernames and passwords.
   • Targets compromised Exchange servers.
   • Monitors clear text HTTP traffic.
   • Captures credentials from webform data or HTTP headers.
   • Credential logs can be sent using cookie parameters.
6. Attribution and Similarity:
   • FortiGuard Labs associates these attacks with APT34 (Oilrig), an Iranian state-backed group.
   • PowerExchange shares commonalities with TriFive, a previous APT34 malware.
   • Both are written in PowerShell and use periodic scheduled tasks.
   • C2 leverages the organization’s Exchange server via EWS API.
7. Phishing and Initial Vector:
   • APT34 uses phishing emails to initiate infections.
   • Previous breaches of UAE entities have been attributed to APT34.

Creating a Sigma Rule for PowerExchange Malware

To effectively detect the PowerExchange malware and its associated behaviors, we can craft a Sigma rule that encompasses the unique characteristics and actions exhibited by this threat.

Following is a simpler sigma rule for the PowerExchange Malware:

title: Detection of PowerExchange Malware Activity
status: experimental
description: Detects potential PowerExchange malware activity based on observed behaviors.
tags:
  - malware
  - APT34
  - PowerExchange
logsource:
  product: email
  service: exchange
detection:
  selection:
    subject: "Update Microsoft Edge"
  condition: >
    (attachment.name == "*.txt" AND attachment.content_type == "text/plain") OR
    (attachment.name == "System.Web.ServiceAuthentication.dll" AND attachment.content_type == "application/x-dosexec")
  fields:
    - attachment.name
    - attachment.content_type
    - subject
  timeframe: 1h
  correlation:
    - from_email_address: "*.example.com"
    - to_email_address: "*.example.com"
  falsepositives:
    - Benign Microsoft Edge updates
    - Legitimate use of Exchange Web Services
level: high

Here’s a more granular version covering all of the above behaviors of PowerExchange malware:

# Rule 1: Detection of C2 Communication via Email
title: Detection of PowerExchange C2 Communication
description: Detects emails with specific subject and attachments indicative of C2 communication.
detection:
  selection:
    EventID: [4625, 4624]
    Subject: '*Update Microsoft Edge*'
    AttachmentNames:
      - '*.txt'
  condition: selection.EventID and selection.Subject and selection.AttachmentNames
fields:
  - EventID
  - Subject
  - AttachmentNames
logsource:
  category: authentication, email
  product: windows

# Rule 2: Detection of Base64-Encoded Commands
title: Detection of PowerExchange Base64-Encoded Commands
description: Detects base64-encoded commands within attachments.
detection:
  selection:
    AttachmentContents: '*base64:*'
  condition: selection.AttachmentContents
fields:
  - AttachmentContents
logsource:
  category: email
  product: windows

# Rule 3: Detection of Exfiltration Behavior
title: Detection of PowerExchange Data Exfiltration
description: Detects unusual data transfers indicative of exfiltration.
detection:
  selection:
    DestinationPort: [80, 443]  # Common ports for exfiltration
  condition: selection.DestinationPort
fields:
  - DestinationPort
logsource:
  product: network

# Rule 4: Detection of Backdoor Presence
title: Detection of PowerExchange Backdoor
description: Detects the presence of ExchangeLeech or similar backdoors.
detection:
  selection:
    FileName: '*System.Web.ServiceAuthentication.dll*'
  condition: selection.FileName
fields:
  - FileName
logsource:
  category: file
  product: windows

Which is Better and Why:

The decision of which approach is better depends on your specific goals, resources, and preferences:

• If you prioritize granularity: The second set of rules offers more specific rules for distinct behaviors, allowing you to fine-tune and adjust individual rules for optimal detection accuracy. This could help in reducing false positives and improving the overall signal-to-noise ratio.
• If you prioritize simplicity: The single Sigma rule above offers a consolidated approach, requiring less management and maintenance. It covers multiple behaviors in a single rule, which could help to quickly detect a wide range of PowerExchange-related activities.

Ultimately, the “better” approach depends on factors such as your organization’s resources, the existing security infrastructure, the level of control you want over rule tuning, and your preference for rule management. You might even consider a hybrid approach, starting with a consolidated Sigma rule and later refining it into more granular rules as you gather more data about the threat and its behavior within your network.

Implementing and Fine-Tuning Sigma Rules for PowerExchange Malware: Best Practices

1. Behavior Analysis:
   • Understand PowerExchange’s Unique Traits: Study PowerExchange malware’s behavior, communication methods, and evasion techniques. This understanding is vital for crafting a rule that accurately identifies its activities.
2. Customized Fields:
   • Leverage Email Attributes: Customize the Sigma rule to focus on specific email attributes, such as subject lines related to Microsoft Edge updates. This helps narrow down communication that might be indicative of C2 activity.
3. Attachment Content Analysis:
   • Inspect Attachment Content: Analyze the contents of email attachments for indicators of base64-encoded commands. This can be a crucial component of the rule to detect malicious instructions being sent to the malware.
4. Network Behavior:
   • Monitor Unusual Ports: Fine-tune the rule to watch for data transfers on common exfiltration ports like 80 and 443. Detecting anomalous network behavior can signal the potential exfiltration of sensitive information.
5. Backdoor Detection:
   • Refine Backdoor Identification: Customize the rule to scrutinize specific filenames, like “System.Web.ServiceAuthentication.dll,” associated with backdoors like ExchangeLeech. This enhances the rule’s ability to identify PowerExchange’s presence.
6. Threat Intelligence Integration:
   • Integrate PowerExchange IOCs: Continuously update the Sigma rule with the latest PowerExchange-related threat intelligence, including domains, IP addresses, and file hashes. This dynamic integration improves rule accuracy.
7. Behavior Simulation:
   • Simulate PowerExchange Behaviors: Create controlled test scenarios to validate the rule’s response to PowerExchange-like behaviors. This ensures accurate detection without false positives.
8. Collaboration and Community Input:
   • Engage with Peers: Collaborate with fellow security professionals to exchange insights on PowerExchange’s behavior and its potential variations. Community knowledge enhances rule development.
9. Regular Threat Landscape Review:
   • Stay Current with PowerExchange Developments: Keep a close watch on PowerExchange’s evolving tactics, techniques, and procedures. Regularly update the rule to adapt to new behaviors.
10. Adjusting Correlation:
    • Refine Correlation Mechanisms: Fine-tune the rule’s correlation parameters, such as email addresses or domains, based on threat actor attribution and observed patterns.

Conclusion

In the dynamic realm of cybersecurity, combating evolving threats like PowerExchange malware demands a strategic and proactive approach. By dissecting the distinct behaviors of PowerExchange and translating them into a tailored Sigma rule, security professionals gain a powerful tool to detect and mitigate this elusive menace. Whether you opt for a simpler consolidated rule or more granular ones, the key lies in a continuous cycle of observation, analysis, and refinement. The insights provided here serve as a foundation, empowering you to navigate the intricate landscape of malware detection with confidence.

Disclaimer: The Sigma rule provided in this article serves as a starting point for enhancing the detection of PowerExchange malware within a network environment. It is important to acknowledge that the threat landscape is dynamic, and the behavior of malware can evolve over time. While the Sigma rule aims to capture specific behaviors associated with PowerExchange, it may not comprehensively address all potential variants, evasion techniques, or novel attack vectors that could emerge.

Implementing the Sigma rule should be considered as a proactive measure to enhance detection capabilities, but it is not a guarantee of complete protection against PowerExchange or any other sophisticated malware. The efficacy of the rule may vary depending on factors such as the network configuration, the specific variant of the malware, and the evolving tactics of threat actors.

Security professionals are encouraged to use the Sigma rule as a foundation and continuously refine it based on real-world observations, threat intelligence, and the specific characteristics of their organization’s environment. Additionally, the rule should be part of a broader defense strategy that includes multiple layers of security controls, threat intelligence, regular updates, and user awareness to effectively mitigate the risks associated with emerging threats.

By leveraging this Sigma rule and continuously adapting it to the evolving threat landscape, organizations can strengthen their detection capabilities, reduce the attack surface, and enhance their overall cybersecurity posture.

Remember that no single rule can provide absolute security, and a multi-faceted approach remains essential to addressing the ever-changing challenges presented by advanced threats like PowerExchange malware.