The detection rule identifies potential malicious activity associated with Chinese-speaking adversaries leveraging YARA signatures, indicating possible targeted attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to early-stage threats from state-sponsored or advanced persistent threat groups.
YARA Rule
rule chinese2 : sms_sender android
{
meta:
author = "https://twitter.com/plutec_net"
reference = "https://koodous.com/"
condition:
androguard.package_name(/com.adr.yykbplayer/) or
androguard.package_name(/sdej.hpcite.icep/) or
androguard.package_name(/p.da.wdh/) or
androguard.package_name(/com.shenqi.video.sjyj.gstx/) or
androguard.package_name(/cjbbtwkj.xyduzi.fa/) or
androguard.package_name(/kr.mlffstrvwb.mu/)
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate backup job initiated by Veeam may generate files with Chinese characters in their names or content due to encoding or logging.
Filter/Exclusion: Exclude files generated by Veeam Backup & Replication during scheduled backup windows using the process name veeam.exe or by checking the file path against known backup directories.
Scenario: Log File Analysis Using Splunk
Description: Splunk may process log files that contain non-ASCII characters, including Chinese text, during log parsing or normalization tasks.
Filter/Exclusion: Exclude files or processes associated with Splunk (e.g., splunkd.exe) and filter based on log file paths or content types that are known to be processed by Splunk.
Scenario: Software Update Using Microsoft Windows Update
Description: During Windows Update, temporary files or logs may include Chinese characters due to localization settings or third-party update tools.
Filter/Exclusion: Exclude files created by wuauserv or svchost.exe and filter based on file paths within the C:\Windows\SoftwareDistribution directory.
Scenario: Database Backup Using MySQL with Chinese Character Support
Description: A MySQL database configured to use a Chinese character set (e.g., utf8mb4) may generate backup files or logs containing Chinese text.
Filter/Exclusion: Exclude files created by mysqld.exe and filter based on file extensions like .sql, .backup, or paths within the MySQL data directory.
Scenario: Admin Task Using PowerShell with Chinese Output
Description: A PowerShell script run by an admin may output Chinese text in the console or log files, especially if the script is handling multilingual data or localization.
Filter/Exclusion: Exclude