The hypothesis is that the detected behavior represents an Arabian spyware variant capable of recording calls and exfiltrating user data to a remote command and control server. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential espionage activities targeting organizational communications and sensitive information.
YARA Rule
rule spyAgent
{
meta:
description = "This rule detects arabian spyware which records call and gathers user information which is later sent to a remote c&c"
sample = "7cbf61fbb31c26530cafb46282f5c90bc10fe5c724442b8d1a0b87a8125204cb"
reference = "https://blogs.mcafee.com/mcafee-labs/android-spyware-targets-security-job-seekers-in-saudi-arabia/"
author = "@koodous_project"
strings:
$phone = "0597794205"
$caption = "New victim arrived"
$cc = "http://ksa-sef.com/Hack%20Mobaile/ADDNewSMS.php"
$cc_alt = "http://ksa-sef.com/Hack%20Mobaile/AddAllLogCall.php"
$cc_alt2= "http://ksa-sef.com/Hack%20Mobaile/addScreenShot.php"
$cc_alt3= "http://ksa-sef.com/Hack%20Mobaile/ADDSMS.php"
$cc_alt4 = "http://ksa-sef.com/Hack%20Mobaile/ADDVCF.php"
$cc_alt5 = "http://ksa-sef.com/Hack%20Mobaile/ADDIMSI.php"
$cc_alt6 = "http://ksa-sef.com/Hack%20Mobaile/ADDHISTORYINTERNET.php"
$cc_alt7 = "http://ksa-sef.com/Hack%20Mobaile/addInconingLogs.php"
condition:
androguard.url(/ksa-sef\.com/) or ($phone and $caption) or ($cc and $cc_alt and $cc_alt2 and $cc_alt3 and $cc_alt4 and $cc_alt5 and $cc_alt6 and $cc_alt7)
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs spyAgent.exe as part of a routine system maintenance or update process.
Filter/Exclusion: Exclude processes associated with known system maintenance tools (e.g., schtasks.exe, taskhost.exe) or filter by process name matching spyAgent.exe when executed by the System or Local Service account.
Scenario: Admin-Initiated Log Collection
Description: An administrator uses a tool like PsLogList or Event Viewer to collect logs, which may trigger spyAgent.exe as part of a log parsing script.
Filter/Exclusion: Exclude processes initiated by user accounts with administrative privileges or filter by command-line arguments related to log collection tools.
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus tool (e.g., Microsoft Defender, Bitdefender) may use a process named spyAgent.exe during a deep scan or quarantine operation.
Filter/Exclusion: Exclude processes that match known antivirus or endpoint protection tool binaries or filter by parent process (e.g., msmpeng.exe, mpsvc.exe).
Scenario: Remote Management Tool Execution
Description: A remote management tool like PsExec or PSTools is used to execute spyAgent.exe on a remote machine for configuration or patching.
Filter/Exclusion: Exclude processes launched via PsExec or PSTools by checking the parent process or command-line arguments for known remote execution tools.
Scenario: Custom Script or Automation Job
Description: A custom script or automation job (e.g., via Task Scheduler or PowerShell) runs spyAgent.exe to perform data aggregation or reporting.
Filter/Exclusion: Exclude processes launched by known automation