By Peter Stollery

Hunting DragonForce: Crafting YARA Rules with yarGen and MalwareBazaar

Hunting DragonForce: Crafting YARA Rules with yarGen and MalwareBazaar

DragonForce originated as a pro-Palestine hacktivist group that has been active since August 2023 [1]. They began with politically motivated attacks targeting entities that aligned with their ideological beliefs [2]. Since then, DragonForce has developed a malware strain that operates under the Ransomware-as-a-Service (RaaS) model [2][3].

DragonForce is alleged to have been involved in the recent cyber attacks on Marks & Spencer, Co-op and Harrods [1][4].

DragonForce: Attack Lifecycle Overview


Initial Access:

Like many adversary groups seeking initial access, DragonForce often get their foot in the door via the use of phishing [T1566] with malicious links [T1566.002] or attachments [T1566.001]. [4]

Alongside phishing, other types of social engineering including SIM swapping [T1451] and MFA push bombing [T1621] are frequently used within DragonForce's arsenal. [4]

Establishing a Foothold:

We often see the use of red team frameworks such as Cobalt Strike for command-and-control communications and further delivery. Specifically, DragonForce often install the SystemBC backdoor, which creates a SOCKS5 proxy tunnel to maintain access even if the initial vulnerability is patched. Once deployed, it establishes persistence by creating a Registry Run key that automatically executes a PowerShell command upon user logon or system boot [T1547.001] [1][7].

Lateral Movement and Privilege Escalation:

DragonForce leverages built-in Windows utilities (PowerShell, WMI), network scanners (Advanced IP Scanner, PingCastle), and credential-dumping tools (Mimikatz) to map the network, harvest credentials, and move laterally [T1003.001, T1016, T1082].[4][7]

Data Exfiltration and Double Extortion:

DragonForce exfiltrates sensitive files using both legitimate cloud services (e.g., MEGA) and protocols like WebDAV or SFTP [1][4].

Exfiltrated data is used for double extortion: files are posted to a dedicated leak site if the victim refuses to pay, increasing pressure during ransom negotiations[4][7].

Ransomware Deployment: Customization and Impact:

Affiliates who may develop their own ransomware from the service provided by DragonForce are able to build custom ransomware binaries for Windows, Linux, ESXi, or NAS devices, choosing encryption methods (AES/RSA or ChaCha8), file paths, execution delays, and exclusions[4][7].

YARA Explained:

"YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns." — VirusTotal YARA GitHub Repository. [5]

YARA is an excellent tool for analysing malware samples and providing rules to help identify and classify them. In this blog post, I have taken all the malware samples tagged as "DragonForce" in MalwareBazaar and from there used the yarGen Python tool (view here) to pull out any matching strings across the samples.

Simply put, yarGen is a generator for YARA rules. yarGen while committing what I have outlined above, it will also remove all strings that may appear in goodware files (if using the --excludegood argument) . yarGen has a big goodware strings and opcode database, which help with this process. [6]

Generating YARA Rules with yarGen

All installation instructions are visible on the yarGen GitHub Repository.

I cloned yarGen to my VM.

git clone https://github.com/Neo23x0/yarGen
cd yarGen

I downloaded all the available ransomware PE (.exe) samples on MalwareBazaar that are tagged DragonForce and placed this within a malware_samples file within the yarGen directory.

mkdir /malware_samples/dragonforce/
mkdir /rules

I then ran the following command to provide the output .yar file.

python3 yarGen.py -m /malware_samples/dragonforce/ -o rules/dragonforce_rule.yar

Followed by

python3 yarGen.py -m /malware_samples/dragonforce/ -o rules/dragonforce_rule_clean.yar --excludegood

This created two YARA rule files, both including all 13 samples, one rule file being "clean" due to the use of the --excludegood argument and one rule file not being "clean".

Both rule sets can be found on my GitHub here.

Key Observations from the YARA Rule Set

Cryptographic APIs

First and foremost, we can see the use of multiple native Windows APIs, our rules flag the presence of key functions like CryptEncrypt, confirming DragonForce’s use of these native Windows APIs to perform encryption—a classic ransomware trait.

Multithreading and Completion Ports

DragonForce stands out by using low-level Windows concurrency APIs, hinting at a more sophisticated design than typical ransomware. 

$s10 = "GetQueuedCompletionStatus" fullword ascii
$s14 = "CreateIoCompletionPort" fullword ascii

Their appearance in ransomware can be indicative of Stealth and Efficiency. Ransomware authors may use IOCP to implement efficient, multithreaded file encryption routines.

Mutex Use

Indicators like CreateMutexA help track how DragonForce maintains process control—useful for DFIR teams when looking for runtime artefacts. This use of Mutexes helps prevent multiple instances, avoiding unintended double encryption of files.

System Reconnaissance

$s12 = "GetNativeSystemInfo" fullword ascii
$s13 = "GetLogicalDriveStringsW" fullword ascii

With reconnaissance calls like GetNativeSystemInfo, DragonForce tailors its execution to the host environment—a step toward evasive, adaptive behaviour. This can help malware determine if it is being run on a VM and therefore, assist in avoiding analysis.

Obfuscated or Unique Strings

$s16 = "4%4,4_4&5-5" fullword ascii /* hex encoded string 'DDU' */

YARA is brilliant for finding a non-standard string within the malware, perhaps this is used as a marker.

Final Thoughts

YARA is a brilliant tool for malware classification and identification. If a new piece of malware were to be released, there's a chance it could be matched to DragonForce using the rules that have been outlined. Beyond detection, the rules highlight the sophistication of DragonForce's engineers - from their use of native Windows APIs to their use of low-level concurrency APIs. This provides a great look into the technical capability of the engineers within this adversary group.

Feel free to access and use the generated YARA rules via my GitHub here.

References:

Previous

The Marks & Spencer Breach: A Wake-Up Call for the UK Retail Sector