The Yara detection for MazarBOT identifies potential Android malware associated with the MazarBOT family, which is linked to credential theft and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromises and prevent further network spread.
YARA Rule
rule android_mazarBot_z: android
{
meta:
author = "https://twitter.com/5h1vang"
reference_1 = "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/"
description = "Yara detection for MazarBOT"
sample = "73c9bf90cb8573db9139d028fa4872e93a528284c02616457749d40878af8cf8"
strings:
$str_1 = "android.app.extra.ADD_EXPLANATION"
$str_2 = "device_policy"
$str_3 = "content://sms/"
$str_4 = "#admin_start"
$str_5 = "kill call"
$str_6 = "unstop all numbers"
condition:
androguard.certificate.sha1("50FD99C06C2EE360296DCDA9896AD93CAE32266B") or
(androguard.package_name("com.mazar") and
androguard.activity(/\.DevAdminDisabler/) and
androguard.receiver(/\.DevAdminReceiver/) and
androguard.service(/\.WorkerService/i)) or
androguard.permission(/android.permission.INTERNET/) and
androguard.permission(/android.permission.SEND_SMS/) and
androguard.permission(/android.permission.CALL_PHONE/) and
all of ($str_*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Legitimate Android App Signing with Debug Build
Description: A developer may use a debug build of a legitimate Android app (e.g., com.example.debug) that includes debug logs or test credentials, which could trigger the YARA rule due to similar string patterns.
Filter/Exclusion: Exclude processes where the package name contains "debug" or where the build type is "debug". Example: package_name contains "debug" or build_type == "debug"
Scenario: Scheduled System Maintenance Job
Description: A scheduled job (e.g., system-maintenance.sh) running on a server might have Android-based automation scripts (e.g., using adb or fastboot) that are used for legitimate device management tasks.
Filter/Exclusion: Exclude processes initiated by system cron jobs or scheduled tasks with known names like "system-maintenance" or "device_update". Example: process_name contains "system-maintenance" or job_name == "device_update"
Scenario: Admin Tool for Android Device Management
Description: An enterprise admin might use a legitimate Android management tool (e.g., Android Device Manager, Google Enterprise Mobility Management) that includes scripts or logs with patterns similar to MazarBOT.
Filter/Exclusion: Exclude processes associated with known admin tools like "Android Device Manager" or "Google Enterprise Mobility Management". Example: process_name contains "Android Device Manager" or tool_name == "Google Enterprise Mobility Management"
Scenario: Automated Log Collection from Android Devices
Description: A security tool (e.g., Splunk, ELK Stack) might collect logs from Android devices using a script that includes log parsing logic with similar string patterns to MazarBOT.
Filter/Exclusion: Exclude processes related to log collection tools like "Splunk", `“Log