Adversaries may use trojans mimicking North American, European, and Asian banks to evade detection and gain initial access to victim networks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft and lateral movement attempts.
YARA Rule
rule SlemBunk : android
{
meta:
description = "Rule to detect trojans imitating banks of North America, Eurpope and Asia"
author = "@plutec_net"
sample = "e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b"
source = "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html"
strings:
$a = "#intercept_sms_start"
$b = "#intercept_sms_stop"
$c = "#block_numbers"
$d = "#wipe_data"
$e = "Visa Electron"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job using Veeam Backup & Replication or Commvault may generate traffic resembling trojan behavior (e.g., connecting to external IPs or using similar command-line arguments).
Filter/Exclusion: Check for process parentage (parent_process = "task scheduler" or parent_process = "services.exe") and verify if the process is associated with a known backup tool.
Scenario: Admin Task for Patch Management
Description: A system administrator may run a Microsoft Update Assistant or WSUS task that temporarily connects to Microsoft servers or uses similar command-line syntax as a trojan.
Filter/Exclusion: Include a filter for process_name = "wuauclt.exe" or process_name = "msupdate.exe" and check for known patch management tools in the process tree.
Scenario: Legitimate Software Update via Chocolatey
Description: A Chocolatey package installation might trigger network activity that matches the rule’s signature, especially if it downloads from a trusted source like chocolatey.org.
Filter/Exclusion: Use a filter for process_name = "choco.exe" and verify the download source against known trusted repositories.
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent Job might initiate a connection to a remote database or use command-line tools like sqlcmd that could be mistaken for a trojan.
Filter/Exclusion: Filter by process_name = "sqlcmd.exe" and check for presence of SQL Server services or known backup scripts in the job definition.
Scenario: Network Monitoring Tool Traffic
Description: A tool like Wireshark or tcpdump may generate network traffic that resembles malicious activity, especially when