OmniRat is being used to establish covert communication channels within the network, leveraging its ability to persist and exfiltrate data undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term adversary presence and data exfiltration risks.
YARA Rule
rule Android_OmniRat
{
meta:
author = "Jacob Soo Lead Re"
date = "01-July-2016"
description = "This rule try to detects OmniRat"
source = "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co"
strings:
$a = "android.engine.apk"
condition:
(androguard.activity(/com.app.MainActivity/i) and
androguard.permission(/android.permission.WRITE_EXTERNAL_STORAGE/i) and
androguard.package_name(/com.app/i)) and $a
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform routine system diagnostics or script execution.
Filter/Exclusion: Exclude processes where the executable path contains powershell.exe and the command line includes -Command or -File with a script path in the system’s trusted script directory (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\).
Scenario: A scheduled job runs Task Scheduler to execute a legitimate maintenance script that includes base64 encoded data for configuration purposes.
Filter/Exclusion: Exclude tasks where the task name or description contains keywords like “maintenance”, “backup”, or “config”, and the command line includes certutil -decode or similar base64 decoding commands.
Scenario: A Windows Update or Group Policy client service is downloading or processing a file that matches the OmniRat signature due to a false positive in the file hash.
Filter/Exclusion: Exclude processes where the parent process is svchost.exe and the process name is wuauclt.exe or gpsvc.exe, or where the file path starts with C:\Windows\ or C:\Windows\System32\.
Scenario: A remote desktop session (RDP) is being used to execute a script that includes encoded or obfuscated commands, which the rule mistakenly identifies as OmniRat.
Filter/Exclusion: Exclude processes where the parent process is tsclient.exe or mstsc.exe, and the command line includes cmd.exe or powershell.exe with a script path in a user’s home directory.
Scenario: A log management tool like Splunk or ELK Stack is parsing logs and includes base64 encoded data in log entries, which the rule misidentifies as Omni