fake instagram

Hunt Hypothesis

The detection identifies potential adversary activity mimicking a social media platform to evade detection and establish a foothold. SOC teams should proactively hunt for this behavior to uncover initial compromise attempts that may bypass traditional security controls.

YARA Rule

rule fake_instagram: fake android
{
  meta:
		  author = "https://twitter.com/Diviei"
		  reference = "https://koodous.com/"
	condition:
		androguard.app_name("Instagram")
		and not androguard.certificate.sha1("76D72C35164513A4A7EBA098ACCB2B22D2229CBE")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled Backup Job Using rsync
  Description: A legitimate scheduled backup job using rsync may generate traffic resembling the fake_instagram rule due to large data transfers.
  Filter/Exclusion: Exclude traffic originating from known backup tools (e.g., rsync, borgbackup) or processes with backup in their command line arguments.

• Scenario: System Integrity Check Using tripwire
  Description: A system integrity check tool like tripwire may generate high volume of file system scans, which could trigger the rule due to frequent file access patterns.
  Filter/Exclusion: Exclude processes associated with tripwire or any system integrity monitoring tools, using process name or command line arguments.

• Scenario: Log Rotation Using logrotate
  Description: The logrotate utility may cause frequent file modifications and deletions, which could be misinterpreted as suspicious activity by the fake_instagram rule.
  Filter/Exclusion: Exclude processes with logrotate in their command line or those modifying files in standard log directories (e.g., /var/log).

• Scenario: Admin Task Using find with -delete
  Description: An administrator may use the find command with -delete to clean up old files, which could trigger the rule due to rapid file deletion patterns.
  Filter/Exclusion: Exclude processes where the command line includes find and -delete, or filter by user (e.g., root or admin).

• Scenario: Database Maintenance Using pg_restore
  Description: A PostgreSQL database maintenance task using pg_restore may involve large file operations that could be flagged by the fake_instagram rule.
  Filter/Exclusion: Exclude processes involving pg_restore or other