The hypothesis is that the detected behavior indicates an adversary is attempting to exploit SMS-based fraud by leveraging compromised credentials to send malicious messages. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential SMSFraud trojan activity before it leads to data exfiltration or financial loss.
YARA Rule
rule smsfraud1 : android
{
meta:
author = "Antonio Sánchez https://twitter.com/plutec_net"
reference = "https://koodous.com/"
description = "This rule detects a kind of SMSFraud trojan"
sample = "265890c3765d9698091e347f5fcdcf1aba24c605613916820cc62011a5423df2"
sample2 = "112b61c778d014088b89ace5e561eb75631a35b21c64254e32d506379afc344c"
strings:
$a = "E!QQAZXS"
$b = "__exidx_end"
$c = "res/layout/notify_apkinstall.xmlPK"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a backup or log rotation, may trigger the rule due to process creation or file access patterns similar to malware behavior.
Filter/Exclusion: Exclude processes associated with known system maintenance tools like vssvc.exe (Volume Shadow Copy Service) or schtasks.exe when running scheduled jobs.
Scenario: Admin Task Using PowerShell for Configuration Changes
Description: An administrator may use PowerShell scripts to configure network settings or update policies, which could resemble the behavior of a trojan.
Filter/Exclusion: Exclude processes initiated by powershell.exe when executed by users with administrative privileges and when the command line includes known administrative tasks (e.g., netsh, ipconfig, Set-ItemProperty).
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus or endpoint protection tools may perform deep scans that involve file access and process creation, which could be mistaken for malicious activity.
Filter/Exclusion: Exclude processes associated with known security tools like mpsvc.exe (Microsoft Defender), avgnt.exe, or bitdefender.exe during scheduled or on-demand scans.
Scenario: User-Initiated File Transfer via SMB
Description: A user may transfer files via SMB (e.g., using smbclient or net use), which could trigger the rule due to network activity or file access patterns.
Filter/Exclusion: Exclude network traffic originating from user-initiated file transfers using tools like smbclient, net use, or robocopy during normal business hours.
Scenario: Log Collection or Monitoring Tool Activity
Description: Tools like logparser.exe, splunkforwarder, or syslog-ng may perform file access