Detecting and removing Sosano backdoor malware with Wazuh
The Sosano backdoor emerged in late 2024 as a stealthy malware strain. It was used in a highly targeted campaign against organizations in critical sectors, including aviation, satellite communications, and transportation infrastructure.
What sets the Sosano backdoor apart is its use of polyglot files – a rare and sophisticated technique that allows malware to masquerade as multiple file formats. This makes detection and analysis significantly more challenging. Attackers behind this campaign also employed compromised email accounts and spear-phishing tactics to gain access to their victims, demonstrating a well-planned and highly deceptive strategy.
The threat actors initiated their campaign by compromising an email account of an Indian electronics company, INDIC EMS Electronics, which had established trust with the targeted organizations. They sent phishing emails containing URLs that directed recipients to a counterfeit domain resembling the legitimate INDIC EMS Electronics website. This domain hosted a ZIP archive that appeared to contain standard files but was designed to deploy the Sosano backdoor.
In this blog post, we illustrate how organizations can detect activities and malicious behaviors associated with the Sosano backdoor malware on infected Windows endpoints.
Sosano backdoor behaviour
The ZIP archive named OrderList.zip includes three files: an XLS file that is an LNK file disguised with a double extension, and two PDF files that serve as polyglots. The first PDF has an HTA file appended to it, while the second PDF contains an embedded ZIP archive.
Upon execution, the below activities were discovered:
- The LNK file launches
cmd.exeand usesmshta.exeto execute the first PDF/HTA polyglot file. - The
mshta.exeprocess scans the file beyond the PDF section until it locates the HTA header, then executes the content from that point onward. - It creates a file
14s.pdfin theC:\Windows\Tasks\directory which contains the same contents as the second PDF file. - The malware extracts the executable and the URL file from the second PDF file.
- The executable searches for files named
sosano.jpgandhyper.jpgwithin the extracted file. - The malware loads
Hyper-Info.exefrom the second PDF file. - The HTA writes a URL file
HKU\Software\Microsoft\Windows\CurrentVersion\Run\MyUrlFileto the registry runkey for persistence.
Analyzed IOC
| Hash Algorithm | Value |
| SHA256 | 336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14 |
| SHA1 | 304a9849894df9e6b3d381f2d24bcf2ef5b497fb |
| MD5 | fbf3c44fdf1d635d1142ae0ec32fe887 |
Infrastructure
We use the following infrastructure to demonstrate the detection of Sosano backdoor malware with Wazuh:
- A pre-built, ready-to-use Wazuh OVA 4.11.1 which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
- A Windows 11 endpoint with the Wazuh agent 4.11.1 installed and enrolled to the Wazuh server. This endpoint is monitored for the Sosano backdoor activities.
Detection with Wazuh
In this blog post, we create custom detection rules to identify the activities associated with the Sosano backdoor malware. We use the Wazuh CDB list and Active Response module to detect and remove malicious files associated with this malware.
Detection rules
We monitor system events on the Windows endpoint using Sysmon and create custom rules on the Wazuh server to detect the malicious behavior of Sosano backdoor malware.
Windows endpoint
Follow the steps below to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Extract the compressed Sysmon file to your preferred location.
3. Run PowerShell as an administrator to download the Sysmon configuration file (sysmonconfig.xml). Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
4. Switch to the folder containing the Sysmon executable. Run the command below to install and start Sysmon:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
5. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Wazuh server:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
6. Restart the Wazuh agent to apply the changes:
> Restart-Service -Name wazuh
Wazuh server
In this section, we create rules to detect the activities related to Sosano backdoor malware.
1. Create a file sosano_backdoor_rules.xml in the /var/ossec/etc/rules/ directory:
# touch /var/ossec/etc/rules/sosano_backdoor_rules.xml
2. Add the following detection rules to the /var/ossec/etc/rules/sosano_backdoor_rules.xml file:
<group name="Sosaso backdoor, malware,">
<!-- The LNK file uses mshta.exe to execute the PDF/HTA polyglot file -->
<rule id="101111" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.image">\\mshta.exe$</field>
<regex type="pcre2" field="win.eventdata.commandLine">(?i)C:\\.*\\electronica-2024\.pdf</regex>
<description>Suspicious execution: mshta.exe running electronica-2024.pdf detected.Potential Sosano malware activity detected.</description>
<mitre>
<id>T1218.005</id> <!-- MITRE ATT&CK: Mshta Abuse -->
</mitre>
</rule>
<!-- Malware loads the second PDF file -->
<rule id="101112" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:\\\\Windows\\\\Tasks\\\\14s.pdf$</field>
<description>The process $(win.eventdata.image) loads file $(win.eventdata.targetFilename) associated with Sosano backdoor malware.</description>
</rule>
<!-- Malware looks for a file named sosano.jpg -->
<rule id="101113" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:\\\\Windows\\\\Tasks\\\\sosano.jpg$</field>
<description>The process $(win.eventdata.image) looks for file $(win.eventdata.targetFilename). Activity associated with Sosano backdoor malware detected.</description>
</rule>
<!-- Malware looks for a file named hyper.jpg -->
<rule id="101114" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:\\\\Windows\\\\Tasks\\\\hyper.jpg$</field>
<description>The process $(win.eventdata.image) looks for file $(win.eventdata.targetFilename). Activity associated with Sosano backdoor malware detected.</description>
</rule>
<!-- Malware loads Hyper-info.exe -->
<rule id="101115" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:\\\\Windows\\\\Tasks\\\\Hyper-info.exe$</field>
<description>The process $(win.eventdata.image) loads $(win.eventdata.targetFilename). Activity associated with Sosano backdoor malware detected.</description>
</rule>
<!-- Malware extract the OrderList.xlsx LNK file -->
<rule id="101116" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:\\\\Windows\\\\Tasks\\\\OrderList.xlsx$</field>
<description>The process $(win.eventdata.image) extracts file $(win.eventdata.targetFilename). Activity associated with Sosano backdoor malware detected.</description>
</rule>
<!-- Malware writes URL file to the registry runkey for persistence -->
<rule id="101117" level="12">
<if_sid>92300</if_sid>
<field name="win.eventdata.eventType" type="pcre2">SetValue</field>
<field name="win.eventdata.targetObject" type="pcre2">HKU\\\\S-1-5-21-\d+-\d+-\d+-\d+\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MyUrlFile$</field>
<field name="win.eventdata.details" type="pcre2">(?i)[C-Z]:\\\\Windows\\\\Tasks\\\\youtube.url$</field>
<description>Sosano backdoor malware added URL file $(win.eventdata.targetObject) to registry runkey to be executed on next logon. Sosano backdoor malware activity detected.</description>
</rule>
</group>
Where:
101111is triggered when the LNK file usesmshta.exeto execute the first PDF/HTA polyglot file.101112is triggered when the malware loads the second PDF file.101113is triggered when thesosano.jpgfile is extracted.101114is triggered when thehyper.jpgfile is extracted.101115is triggered when the malware loads theHyper-info.exefile which is part of the archive file.101116is triggered when the malware extracts theOrderList.xlsxLNK file.101117is triggered when the malware writes a URL file to the registry runkey for persistence.
3. Restart the Wazuh server to apply the changes:
# systemctl restart wazuh-manager
Wazuh dashboard detection alerts
Follow the steps below to view the alerts generated on the Wazuh dashboard.
1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Then filter by rule.id.
3. In the Operator field, select is one of.
4. Search and select 101111, 101112, 101113, 101114, 101115, 101116, and 101117 in the Values field.
5. Click Save.
Removing Sosano backdoor malware using Wazuh CDB list and Active Response
We configure Wazuh to detect malicious files by comparing their signatures against a CDB list of known malware signatures. A CDB list is a text file that stores key:value pairs, allowing you to track users, file hashes, IP addresses, or domain names. By adding relevant entries, you can identify threats effectively. Learn more about CDB lists in our documentation.
Detecting Sosano backdoor malware using files hashes in the CDB list
To detect the Sosano backdoor malware, you can add its known hashes to a CDB list. The Wazuh File Integrity Monitoring (FIM) module tracks file changes within monitored directories, generating alerts when files are created, modified, or deleted. These alerts include the file’s MD5, SHA1, and SHA256 checksums. By comparing the SHA256 checksums from the FIM module against the entries in the CDB list, Wazuh can identify the presence of the malware.
Follow the steps below to create a CDB list and set up the detection rule.
Wazuh server
1. Create a file malware-hashes in the /var/ossec/etc/lists directory. This is the CDB list that will contain the known file hashes associated with Sosano backdoor malware:
# touch /var/ossec/etc/lists/malware-hashes
2. Add the hashes to the malware-hashes file as key:value pairs:
336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14:Sosano 394d76104dc34c9b453b5adaf06c58de8f648343659c0e0512dd6e88def04de3:Sosano e692ff3b23bec757f967e3a612f8d26e45a87509a74f55de90833a0d04226626:Sosano 0c2ba2d13d1c0f3995fc5f6c59962cee2eb41eb7bdbba4f6b45cba315fd56327:Sosano 0ad1251be48e25b7bc6f61b408e42838bf5336c1a68b0d60786b8610b82bd94c:Sosano 3e0c359acaa23419cda5a93a07a5fee462cebbb771e175eec336a28500c5cda9:Sosano 6208440b508134102e64a0e88d5307f3f546eeaf3655fb4172107cedb3bac772:Sosano
3. Edit the /var/ossec/etc/ossec.conf file and include the etc/lists/malware-hashes list within the <ruleset> configuration block:
<ruleset> <list>etc/lists/malware-hashes</list> <ruleset>
4. Create a custom rule in the /var/ossec/etc/rules/local_rules.xml file to trigger alerts on the Wazuh dashboard whenever a SHA256 hash from the CDB list is detected:
<group name="sosano,">
<rule id="110111" level="13">
<if_sid>554, 550</if_sid>
<list field="sha256" lookup="match_key">etc/lists/malware-hashes</list>
<description>A known Sosano backdoor malware hash detected: $(file)</description>
<mitre>
<id>T1204.002</id>
</mitre>
</rule>
</group>
Note: Rule ID 554 is triggered when a new file is added to a monitored directory, while rule ID 550 is triggered when a file is modified.
5. Restart the Wazuh server to apply the changes:
# systemctl restart wazuh-manager
Windows endpoint
1. Monitor the Downloads folder of all users in real-time by adding the below configuration within the <syscheck> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file:
<directories realtime="yes">C:\Users\*\Downloads</directories>
Note: In this blog post, we monitored only the Downloads folder of all users. However, you can configure Wazuh to monitor any directory of your choice.
2. Restart the Wazuh agent to apply the changes:
> Restart-Service -Name wazuh
Perform the following on the Wazuh dashboard to view the alerts generated when the Sosano backdoor malware files are added to the download directory.
1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Then filter by rule.id.
3. In the Operator field, select is one of.
4. Search and select 110111 in the Values field.
5. Click Save.
Removing Sosano backdoor malware files using Active Response
The Wazuh Active Response module helps mitigate threats by executing scripts on monitored endpoints when specific triggers occur. If a rule generates an alert, an Active Response script runs on the affected endpoint to take corrective action.
In this guide, we demonstrate how to set up a Python script on a Windows endpoint to automatically delete Sosano backdoor malware files upon detection by Wazuh. To achieve this, Python and PyInstaller must be installed on the Windows endpoint to convert the script into an executable file.
Follow the steps below to configure the active response script to remove Sosano backdoor malware files as soon as they are detected.
Windows endpoint
1. Download and install Python with the below options checked during installation:
- Use admin privileges when installing py.exe
- Add Python.exe to PATH.
2. Install Pyinstaller using the following command:
> pip install -U pyinstaller
3. Create a remove-threat.py script file and copy the below into it:
#!/usr/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.
import os
import sys
import json
import datetime
if os.name == 'nt':
LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
LOG_FILE = "/var/ossec/logs/active-responses.log"
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3
OS_SUCCESS = 0
OS_INVALID = -1
class message:
def __init__(self):
self.alert = ""
self.command = 0
def write_debug_file(ar_name, msg):
with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
def setup_and_check_message(argv):
# get alert from stdin
input_str = ""
for line in sys.stdin:
input_str = line
break
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
message.command = OS_INVALID
return message
message.alert = data
command = data.get("command")
if command == "add":
message.command = ADD_COMMAND
elif command == "delete":
message.command = DELETE_COMMAND
else:
message.command = OS_INVALID
write_debug_file(argv[0], 'Not valid command: ' + command)
return message
def send_keys_and_check_message(argv, keys):
# build and send message with keys
keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
write_debug_file(argv[0], keys_msg)
print(keys_msg)
sys.stdout.flush()
# read the response of previous message
input_str = ""
while True:
line = sys.stdin.readline()
if line:
input_str = line
break
# write_debug_file(argv[0], input_str)
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
return message
action = data.get("command")
if "continue" == action:
ret = CONTINUE_COMMAND
elif "abort" == action:
ret = ABORT_COMMAND
else:
ret = OS_INVALID
write_debug_file(argv[0], "Invalid value of 'command'")
return ret
def main(argv):
write_debug_file(argv[0], "Started")
# validate json and get command
msg = setup_and_check_message(argv)
if msg.command < 0:
sys.exit(OS_INVALID)
if msg.command == ADD_COMMAND:
alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]
action = send_keys_and_check_message(argv, keys)
# if necessary, abort execution
if action != CONTINUE_COMMAND:
if action == ABORT_COMMAND:
write_debug_file(argv[0], "Aborted")
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], "Invalid command")
sys.exit(OS_INVALID)
try:
os.remove(msg.alert["parameters"]["alert"]["syscheck"]["path"])
write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
except OSError as error:
write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
else:
write_debug_file(argv[0], "Invalid command")
write_debug_file(argv[0], "Ended")
sys.exit(OS_SUCCESS)
if __name__ == "__main__":
main(sys.argv)
4. Convert the Python script remove-threat.py to an executable file:
> pyinstaller -F remove-threat.py
5. Copy the built executable from the \dist folder in your current working directory to C:\Program Files (x86)\ossec-agent\active-response\bin directory.
Wazuh server
1. Add the following configuration within the <ossec_config> block of the /var/ossec/etc/ossec.conf file to trigger an Active Response to rule ID 110111:
<command> <name>remove-threat-windows</name> <executable>remove-threat.exe</executable> <timeout_allowed>no</timeout_allowed> </command> <active-response> <disabled>no</disabled> <command>remove-threat-windows</command> <location>local</location> <rules_id>110111</rules_id> </active-response>
Where:
<name>specifies thatremove-threat-windowsis the name of the command being called in the active response section.<executable>specifies thatremove-threat.exeis the executable file to run.<command>specifies the command that the active response will use.- The
<active response>block calls the<command>block when the rule ID110111is triggered. <location>specifies where the active response script is executed.
2. Create custom rules in the /var/ossec/etc/rules/local_rules.xml to generate alerts when response actions are taken:
<group name="sosano,">
<rule id="110112" level="12">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program): Successfully removed threat $(parameters.alert.syscheck.path) whose hash appears in a malware blacklist.</description>
</rule>
<rule id="110113" level="12">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>$(parameters.program): Error removing threat $(parameters.alert.syscheck.path) whose hash appears in a malware blacklist.</description>
</rule>
</group>
Where:
- Rule ID
110112is triggered when the threat is successfully removed by the Wazuh Active Response module. - Rule ID
110113is triggered when the threat is not successfully removed by the Wazuh active response module.
3. Restart the Wazuh manager to apply the changes:
# systemctl restart wazuh-manager
Alerts visualization
Perform the following steps on the Wazuh dashboard to view the alerts of the removal of the malicious file by the Wazuh Active Response module:
1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Then filter by rule.id.
3. In the Operator field, select is one of.
4. Search and select rule ID 110112 in the Values field.
5. Click Save.
Conclusion
In this blog post, we demonstrated how to detect Sosano backdoor malware activities on monitored Windows endpoints. We enriched logs from the victim endpoint by integrating Sysmon and created Wazuh detection rules to identify malicious behavior associated with Sosano backdoor malware. We also illustrated how to remove the known malicious files using Wazuh CDB lists and Active Response module.
Wazuh is a free open source security platform providing a wide range of capabilities to monitor and safeguard your infrastructure against malicious activities. If you have any questions about this blog post or Wazuh, we invite you to join our community, where our team is available to assist you.
References