Yara rule for Banking trojan targeting South Korean banks

Hunt Hypothesis

The detection identifies potential execution of a South Korean-targeted banking trojan leveraging Yara signatures, indicating possible lateral movement or data exfiltration. SOC teams should proactively hunt for this behavior to detect early-stage compromise and prevent financial data theft in Azure Sentinel environments.

YARA Rule

rule andr_sk_bank
{
	meta:
		description = "Yara rule for Banking trojan targeting South Korean banks"
		sample = "0af5c4c2f39aba06f6793f26d6caae134564441b2134e0b72536e65a62bcbfad"
		source = "https://www.zscaler.com/blogs/research/android-malware-targeting-south-korean-mobile-users"
		author = "https://twitter.com/5h1vang"

	strings:
		$str_1 = "NPKI"
		$str_2 = "portraitCallBack("
		$str_3 = "android.app.extra.DEVICE_ADMIN"
		$str_4 = "SMSReceiver&imsi="
		$str_5 = "com.ahnlab.v3mobileplus"

	condition:
		androguard.package_name("com.qbjkyd.rhsxa") or
		androguard.certificate.sha1("543382EDDAFC05B435F13BBE97037BB335C2948B") or
		(androguard.permission(/android.permission.RECEIVE_SMS/) and
		androguard.permission(/android.permission.INTERNET/) and 
		androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/) and 
		all of ($str_*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system backup using Veeam Backup & Replication
  Filter/Exclusion: Exclude processes associated with VeeamBackup.exe or check for the presence of Veeam in the process name or command line arguments.

• Scenario: Admin task for updating antivirus definitions using Microsoft Defender
  Filter/Exclusion: Exclude processes with MsMpEng.exe or check for the presence of Microsoft Defender in the process name or command line arguments.

• Scenario: Log collection task using Splunk Forwarder
  Filter/Exclusion: Exclude processes associated with splunkforwarder.exe or check for the presence of Splunk in the process name or command line arguments.

• Scenario: Database maintenance job using SQL Server Agent
  Filter/Exclusion: Exclude processes with sqlservr.exe or check for the presence of SQL Server Agent in the command line arguments.

• Scenario: Network monitoring tool using Wireshark for packet capture
  Filter/Exclusion: Exclude processes associated with wireshark.exe or check for the presence of Wireshark in the process name or command line arguments.