Detecting and responding to Apos malware with Wazuh

| by | Wazuh 4.12.0
Post icon

Apos, first identified in April 2024, has drawn significant attention in the security community due to its stealthy behavior and layered infection chain. Unlike opportunistic threats that indiscriminately target systems, Apos demonstrates a calculated focus on persistence and evasion.

The malware often masquerades as legitimate software components, mimicking processes such as Chrome extension updates to blend seamlessly into routine activity. Once executed on Windows systems, it unpacks and loads malicious modules designed for credential theft, system reconnaissance, and command-and-control (C2) communications.

While frequently categorized as ransomware, Apos diverges from traditional file-encrypting ransomware. Instead, it prioritizes data exfiltration, stealing sensitive information, and using threats of exposure or sale of the data as leverage for extortion.

Apos conceals its presence through benign-looking artifacts, including DLLs with non-suspicious names, which serve both as payload delivery mechanisms and persistence enablers within Windows and browser environments. By leveraging trusted processes and disguising communications, Apos ensures long-term access and positions attackers for deeper lateral movement within compromised networks.

In this blog post, we demonstrate how organizations can detect the activities and malicious behaviors associated with Apos malware on infected Windows endpoints.

Apos malware behavior

Below are some of the behaviors observed when Apos malware successfully infects a Windows endpoint:

  • Upon execution, the malware checks file creation access by creating a file __tmp_rar_sfx_access_check_* in the same folder containing the malware executable.
  • The malware drops the following DLLs in the same folder containing the executable:
libffi-8.dlllibgcc_s_dw2-1.dll
libgio-2.0-0.dlllibglib-2.0-0.dll
libgmodule-2.0-0.dlllibgobject-2.0-0.dll
libiconv-2.dlllibintl-8.dll
libpcre2-8-0.dlllibwinpthread-1.dll
zlib1.dll
  • The malware proceeds to drop an executable file, Update.exe, in the working directory for further execution.
  • The parent process launches Update.exe and loads it into memory. The parent process terminates after launching this executable.
  • Update.exe loads all the DLLs imported by the parent process.

Analyzed IOC

Hash AlgorithmValue
SHA25633a99066776eacf39e2f36243b8fbee2e542e35a4b56531187463a266dd5b0ff
SHA256e90249a27ea1181ac71f789c0c563d008cf920c5847b41c7a790952139b84808

Infrastructure

We use the following infrastructure to demonstrate the detection of Apos malware with Wazuh:

  • A pre-built, ready-to-use Wazuh OVA 4.12.0, which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
  • A Windows 11 endpoint with the Wazuh agent 4.12.0 installed and enrolled to the Wazuh server. This endpoint is monitored for the Apos malware activities.

Detection with Wazuh

We create custom detection rules to identify the known activities associated with the Apos malware.

Detection rules

We monitor system events on the Windows endpoint using Sysmon and create custom rules on the Wazuh server to detect the malicious behavior of Apos malware.

Windows endpoint

Follow the steps below to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.

  1. Download Sysmon from the Microsoft Sysinternals page.
  2. Extract the compressed Sysmon file to your preferred location.
  3. Run PowerShell as an administrator to download the Sysmon configuration file (sysmonconfig.xml). Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
  1. Switch to the folder containing the Sysmon executable. Run the command below to install and start Sysmon:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
  1. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Wazuh server:
<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the changes:

> Restart-Service -Name wazuh

Wazuh server

In this section, we create rules to detect the activities related to Apos malware.

  1. Create a file apos_malware_rules.xml in the /var/ossec/etc/rules/ directory:
# touch /var/ossec/etc/rules/apos_malware_rules.xml
  1. Add the following detection rules to the /var/ossec/etc/rules/apos_malware_rules.xml file:
<group name="Apos, malware,">

<!-- Malware creates a file to check file creation access -->
  <rule id="102111" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*\__tmp_rar_sfx_access_check</field>
    <description>File $(win.eventdata.targetFilename) created by $(win.eventdata.image). Activity associated with Apos malware detected.</description>
  </rule>

<!-- Detects multiple DLLs creation by the malware-->
  <rule id="102112" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)(libffi-8\.dll|libgcc_s_dw2-1\.dll|libgio-2\.0-0\.dll|libglib-2\.0-0\.dll|libgmodule-2\.0-0\.dll|libgobject-2\.0-0\.dll|libiconv-2\.dll|libintl-8\.dll|libpcre2-8-0\.dll|libwinpthread-1\.dll|zlib1\.dll)$</field>
    <description>The DLL $(win.eventdata.targetFilename) was created by $(win.eventdata.image). Activity associated with Apos malware detected.</description>
  </rule>

<!-- Malware creates Update.exe executable file -->
  <rule id="102113" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*\\Update.exe$</field>
    <description>An executable file $(win.eventdata.targetFilename) was created. Activity associated with Apos malware detected.</description>
  </rule>

<!-- Malware executes Update.exe application -->
  <rule id="102114" level="12">
    <if_sid>61603</if_sid>
    <regex type="pcre2" field="win.eventdata.commandLine">(?i)C:\\.*\\Update\.exe</regex>
	<field name="win.eventdata.hashes" type="pcre2">(?i)SHA256=3DA500D9DC1A24E1C4A55146A1DD85088C07CDE5CB684F1AD4238B78B74CD5C1|A0027DF5CCC2A66C8A0BCAA7D7033AA438B58A92732030E73D5A9F77A7659639</field>
    <description>A malicious executable $(win.eventdata.image) was launched. Activity associated with Apos malware detected.</description>
    <mitre>
      <id>T1036</id>
    </mitre>
  </rule> 

<!-- Malware loads Update.exe image -->
  <rule id="102115" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.imageLoaded" type="pcre2">(?i)[C-Z]:.*\\Update.exe</field>
    <field name="win.eventdata.hashes" type="pcre2">(?i)SHA256=3DA500D9DC1A24E1C4A55146A1DD85088C07CDE5CB684F1AD4238B78B74CD5C1|A0027DF5CCC2A66C8A0BCAA7D7033AA438B58A92732030E73D5A9F77A7659639</field>
    <description>A malicious image $(win.eventdata.imageLoaded) was loaded. Activity associated with Apos malware detected.</description>
    <mitre>
      <id>T1073</id>
    </mitre>
  </rule>  

<!-- Update.exe application loads the DLLs created by parent process -->
  <rule id="102116" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\Update.exe</field>
    <field name="win.eventdata.imageLoaded" type="pcre2">(?i)[C-Z]:.*\.dll</field>
    <description>DLL $(win.eventdata.imageLoaded) was loaded by a malicious executable $(win.eventdata.image). Activity associated with Apos malware detected.</description>
    <mitre>
      <id>T1073</id>
    </mitre>
  </rule>

</group>

Where:

  • 102111 is triggered when the malware creates a file to test file creation access.
  • 102112 is triggered when the malware imports multiple DLL files.
  • 102113 is triggered when the malware creates an executable file Update.exe.
  • 102114 is triggered when the Update.exe executable is launched.
  • 102115 is triggered when the Update.exe image is loaded into memory.
  • 103116 is triggered when the Update.exe executable loads the DLLs imported by the parent process.
  1. Restart the Wazuh server to apply the changes:
# systemctl restart wazuh-manager

Wazuh dashboard detection alerts

Follow the steps below to view the alerts generated on the Wazuh dashboard.

  1. Navigate to Threat intelligence > Threat Hunting.
  2. Click + Add filter. Then filter by rule.groups.
  3. In the Operator field, select is.
  4. Search and select Apos in the Values field.
  5. Click Save.
Wazuh dashboard detection alerts

Removing malicious files using YARA integration

A strong defense against malware begins with early detection, before malicious code has the chance to run. By monitoring endpoints for suspicious file activity, security teams can identify and eliminate potential threats before they impact the system. The Wazuh File Integrity Monitoring (FIM) module plays a central role in this process by scanning designated directories at set intervals. This flags unexpected file creations or modifications that could indicate an attack in progress.

To strengthen this capability, Wazuh can be integrated with external intelligence sources and malware detection tools such as YARA and VirusTotal. These integrations provide access to continuously updated signatures and rule sets, enabling automated identification of known and emerging threats. When a suspicious file surfaces, the Wazuh Active Response module can be configured to automatically trigger a YARA scan, classify the file, and remove it if malicious. In this way, organizations can move beyond reactive cleanup and enforce a proactive security posture that stops threats before they escalate.

In this section, we illustrate how to remove malicious files by leveraging Wazuh integration with YARA.

Windows endpoint

Perform the steps below to configure the monitored endpoint for this integration.

  1. Install the following prerequisites:

Note

Run PowerShell as an administrator

  1. Download YARA:
> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.4/yara-master-v4.5.4-win64.zip -OutFile v4.5.4-win64.zip
  1. Extract the downloaded YARA file:
> Expand-Archive v4.5.4-win64.zip
  1. Create a yara folder in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder and copy the YARA binary into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\v4.5.4-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
  1. To download the YARA rules, use the pip utility to install valhallaAPI. This API retrieves the public signature-based YARA ruleset:
> pip install valhallaAPI
  1. Create a file download_yara_rules.py, and paste the below script into it:
from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()
with open('yara_rules.yar', 'w') as fh:
    fh.write(response)
  1. Run the download_yara_rules.py script file to download YARA rules:
> python download_yara_rules.py
  1. Create C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder and copy the rules into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
  1. Edit the downloaded YARA rule file C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar and add the following Apos malware rule:
rule Apos_malware {
   meta:
      description = "Detects Apos malware"
      author = "Aishat Awujola"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2025-08-26"
   strings:
      $x1 = "srvcli.dll" fullword wide /* reversed goodware string 'lld.ilcvrs' */
      $x2 = "devrtl.dll" fullword wide /* reversed goodware string 'lld.ltrved' */
      $x3 = "dfscli.dll" fullword wide /* reversed goodware string 'lld.ilcsfd' */
      $x4 = "browcli.dll" fullword wide /* reversed goodware string 'lld.ilcworb' */
      $x5 = "linkinfo.dll" fullword wide /* reversed goodware string 'lld.ofniknil' */
      $s6 = "atl.dll" fullword wide /* reversed goodware string 'lld.lta' */
      $s7 = "api-ms-win-core-synch-l1-2-0.dll" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-sm-ipa' */
      $s8 = "SSPICLI.DLL" fullword wide
      $s9 = "UXTheme.dll" fullword wide
      $s10 = "oleaccrc.dll" fullword wide
      $s11 = "dnsapi.DLL" fullword wide
      $s12 = "iphlpapi.DLL" fullword wide
      $s13 = "WINNSI.DLL" fullword wide
      $s14 = "sfxrar.exe" fullword ascii
      $s15 = "Cannot create folder %sHChecksum error in the encrypted file %s. Corrupt file or wrong password." fullword wide
      $s16 = "libffi-8.dll" fullword ascii
      $s17 = "libpcre2-8-0.dll" fullword ascii
      $s18 = "D:\\Projects\\WinRAR\\sfx\\build\\sfxrar64\\Release\\sfxrar.pdb" fullword ascii
      $s19 = "233333333333333333" ascii /* hex encoded string '#33333333' */
      $s20 = "$GETPASSWORD1:IDC_PASSWORDENTER" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 8000KB and
      1 of ($x*) and 4 of them
}
  1. Monitor the Downloads folder of all users in real-time by adding the below configuration  within the <syscheck> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file:
<directories realtime="yes">C:\Users\*\Downloads</directories>

Note

In this blog post, we only monitored the Downloads folder of all users. However, you can configure other directories you wish to monitor.

  1. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder and copy the below script into it. The Wazuh Active Response module runs this script to perform YARA scans for malware detection and removal:
:: This script deletes Apos malware executable as well as other malicious files matched by the YARA Rules
 
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%
FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (
SET syscheck_file_path=%%F
)
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
    :: Deleting the scanned file.
	del /f "%syscheck_file_path%" >nul 2>&1
if exist "%syscheck_file_path%" (
    echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path%
) else (
    echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path%
)
 )
exit /b
  1. Restart the Wazuh agent to apply the changes:
> Restart-Service -Name wazuh

Wazuh server

Perform the following steps to configure custom decoders, rules, and the Wazuh Active Response module on the Wazuh server.

  1. Add the custom rules below to the /var/ossec/etc/rules/local_rules.xml file: 
<group name= "syscheck,">
  <rule id="102121" level="7">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File modified in the Downloads folder.</description>
  </rule>

  <rule id="102122" level="7">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File added to the Downloads folder.</description>
  </rule>
</group>

<!--  Rule for the decoder (yara_decoder) -->
<group name="yara,">
  <rule id="102123" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

<!--  YARA scan detects a positive match -->
  <rule id="102124" level="12">
    <if_sid>102123</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a malware. Yara rule: $(yara_rule)</description>
  </rule>

<!--  Wazuh successfully deletes malware with a positive match -->
  <rule id="102125" level="12">
    <if_sid>102123</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
    <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description>
  </rule>

<!--  Wazuh encounters an error when deleting malware with a positive match -->
  <rule id="102126" level="12">
    <if_sid>102123</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
    <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>
</group>

Where:

  • 102121 is triggered when a file is modified in the Downloads folder.
  • 102122 is triggered when a file is added to the Downloads folder.
  • 102123 is the base rule for detecting YARA-related events.
  • 102124 is triggered when YARA scans and detects a malicious file.
  • 102125 is triggered when the executable has been successfully removed by the Wazuh Active Response module.
  • 102126 is triggered when the executable is not removed successfully by the Wazuh Active Response module.
  1. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file to decode the logs generated by the Active Response script:
<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>
  1. Add the following configuration within the <ossec_config> block of the /var/ossec/etc/ossec.conf file:
<command>
  <name>yara</name>
  <executable>yara.bat</executable>
  <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
  <command>yara</command>
  <location>local</location>
  <rules_id>102121,102122</rules_id>
</active-response>

The Wazuh Active Response module runs the yara.bat script when a file is added or modified in the Downloads folder.

Where:

  • <name> specifies that yara is the name of the command being called in the <active-response> block.
  • <executable> specifies that yara.bat is the executable file to run.
  • <command> specifies the command that the Active Response module will use.
  • The <active response> block calls the <command> block when the rule ID 102121 or 102122 is triggered.
  • <location> specifies where the Active Response script is executed.
  1. Restart the Wazuh manager for the changes to take effect:
# systemctl restart wazuh-manager

Visualizing the detection alerts

When the Apos malware executable is added to the Downloads folder of the monitored Windows endpoint and successfully removed by the Wazuh Active Response module, alerts are generated on the Wazuh dashboard. 

To view these alerts:

  1. Navigate to Threat intelligence > Threat Hunting.
  2. Click + Add filter. Then filter by rule.id.
  3. In the Operator field, select is one of.
  4. Search and select rule IDs 102122 , 102124, and 102125 in the Values field.
  5. Click Save.
Visualizing the detection alerts

Conclusion

In this blog post, we demonstrated how organizations can detect and proactively respond to Apos malware activities in a monitored Windows environment. We enriched logs from the victim endpoint by integrating Sysmon and created Wazuh detection rules to identify malicious behavior related to Apos malware. We also showed how to remove the malicious files by leveraging Wazuh integration with YARA.

Wazuh is a free open source security platform providing a wide range of capabilities to monitor and safeguard your infrastructure against malicious activities. Discover more about Wazuh by exploring our other blog posts and becoming a part of our growing community.

References