BankBot/Mazain attacking polish banks

Hunt Hypothesis

BankBot/Mazain is leveraging compromised credentials to exfiltrate sensitive data from Polish financial institutions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage lateral movement and data exfiltration attempts by this financially motivated threat actor.

YARA Rule

rule bankbot_polish_banks : banker
{
    meta:
        author = "Eternal"
        hash0 = "86aaed9017e3af5d1d9c8460f2d8164f14e14db01b1a278b4b93859d3cf982f5"
        description = "BankBot/Mazain attacking polish banks"
        reference = "https://www.cert.pl/en/news/single/analysis-of-a-polish-bankbot/"
    strings:
        $bank1 = "com.comarch.mobile"
        $bank2 = "eu.eleader.mobilebanking.pekao"
        $bank3 = "eu.eleader.mobilebanking.raiffeisen"
        $bank4 = "pl.fmbank.smart"
        $bank5 = "pl.mbank"
        $bank6 = "wit.android.bcpBankingApp.millenniumPL"
        $bank7 = "pl.pkobp.iko"
        $bank8 = "pl.plus.plusonline"
        $bank9 = "pl.ing.mojeing"
        $bank10 = "pl.bzwbk.bzwbk24"
        $bank11 = "com.getingroup.mobilebanking"
        $bank12 = "eu.eleader.mobilebanking.invest"
        $bank13 = "pl.bph"
        $bank14 = "com.konylabs.cbplpat"
        $bank15 = "eu.eleader.mobilebanking.pekao.firm"

        $s1 = "IMEI"
        $s2 = "/:/"
        $s3 = "p="
        $s4 = "SMS From:"

    condition:
        all of ($s*) and 1 of ($bank*) and 
        androguard.permission(/android.permission.INTERNET/) and 
        androguard.permission(/android.permission.WAKE_LOCK/) and
        androguard.permission(/android.permission.READ_EXTERNAL_STORAGE/) and
        androguard.permission(/android.permission.RECEIVE_MMS/) and
        androguard.permission(/android.permission.READ_SMS/) and
        androguard.permission(/android.permission.RECEIVE_SMS/)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 19 string patterns in its detection logic.

References

• https://www.cert.pl/en/news/single/analysis-of-a-polish-bankbot/
• Source Rule

False Positive Guidance

• Scenario: Scheduled backup job using Veeam Backup & Replication
  Filter/Exclusion: Exclude processes initiated by veeambackup.exe or with command lines containing backup or restore.

• Scenario: System administrator performing Windows Update via Group Policy
  Filter/Exclusion: Exclude processes with parent process services.exe and command lines containing wuauclt.exe or gpupdate.

• Scenario: Database maintenance task using SQL Server Agent Job
  Filter/Exclusion: Exclude processes with parent process sqlservr.exe and command lines containing sqlagent.exe or sp_updatestats.

• Scenario: IT staff running PowerShell scripts for log rotation or monitoring
  Filter/Exclusion: Exclude processes with parent process powershell.exe and command lines containing logrotate, rotate, or monitor.

• Scenario: Security team using Splunk for log analysis and correlation
  Filter/Exclusion: Exclude processes with parent process splunkd.exe and command lines containing search, query, or index.