The hypothesis is that an adversary may be using iBanking-specific file signatures or strings to exfiltrate data or execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data leakage or persistence mechanisms tied to financial applications.
YARA Rule
rule Android_Malware : iBanking android
{
meta:
author = "Xylitol [email protected]"
date = "2014-02-14"
description = "Match first two bytes, files and string present in iBanking"
reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"
strings:
// Generic android
$pk = {50 4B}
$file1 = "AndroidManifest.xml"
// iBanking related
$file2 = "res/drawable-xxhdpi/ok_btn.jpg"
$string1 = "bot_id"
$string2 = "type_password2"
condition:
($pk at 0 and 2 of ($file*) and ($string1 or $string2))
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Legitimate iBanking Application Update
Description: A scheduled job runs to update the iBanking application, which includes legitimate binary files that match the first two bytes of the detection rule.
Filter/Exclusion: Exclude files with the file type application/x-iBanking-update or use a filter like file.name contains "iBanking_update".
Scenario: System Log Files Containing iBanking Strings
Description: System logs or audit logs may contain strings related to iBanking due to administrative tasks or user activity, triggering the rule.
Filter/Exclusion: Exclude files with the file type log or use a filter like file.name contains "syslog" or file.name contains "audit.log".
Scenario: Malware Analysis with iBanking Strings in Memory
Description: During malware analysis, a sandbox or analysis tool (e.g., Cuckoo Sandbox) may capture memory dumps or strings that include iBanking-related text.
Filter/Exclusion: Exclude processes related to analysis tools using process.name contains "cuckoo" or process.name contains "sandbox".
Scenario: Backup Files Containing iBanking Strings
Description: Backup jobs may include files or strings from the iBanking application, leading to false positives when the backup files are scanned.
Filter/Exclusion: Exclude files with the file type backup or use a filter like file.name contains "backup" or file.name contains "bkp".
Scenario: Admin Task Exporting iBanking Configuration
Description: An administrator may export iBanking configuration files or scripts, which include strings or binary data matching the rule.
Filter/Exclusion: Exclude files with the file type configuration or