The hypothesis is that an adversary is using APK files associated with HackingTeam, potentially leveraging compromised certificates found in their mailboxes to establish covert communication or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term persistence or data exfiltration tactics tied to known malicious actors.
YARA Rule
rule hacking_team : stcert android
{
meta:
author = "Fernando Denis https://twitter.com/fdrg21"
reference = "https://koodous.com/"
description = "This rule detects the apk related to hackingteam - These certificates are presents in mailboxes od hackingteam"
samples = "c605df5dbb9d9fb1d687d59e4d90eba55b3201f8dd4fa51ec80aa3780d6e3e6e"
strings:
$string_a_1 = "280128120000Z0W1"
$string_a_2 = "E6FFF4C5062FBDC9"
$string_a_3 = "886FEC93A75D2AC1"
$string_a_4 = "121120104150Z"
$string_b_1 = "&inbox_timestamp > 0 and is_permanent=1"
$string_b_2 = "contact_id = ? AND mimetype = ?"
$string_c = "863d9effe70187254d3c5e9c76613a99"
$string_d = "nv-sa1"
condition:
(any of ($string_a_*) and any of ($string_b_*) and $string_c and $string_d) or
androguard.certificate.sha1("B1BC968BD4F49D622AA89A81F2150152A41D829C") or
androguard.certificate.sha1("3FEC88BA49773680E2A3040483806F56E6E8502E") or
androguard.certificate.sha1("B0A4A4880FA5345D6B3B00C0C588A39815D3872E") or
androguard.certificate.sha1("EC2184676D4AE153E63987326666BA0C554A4A60") or
androguard.certificate.sha1("A7394CBAB09D35C69DA7FABB1A7870BE987A5F77") or
androguard.certificate.sha1("A1131C7F816D65670567D6C7041F30E380754022") or
androguard.certificate.sha1("4E40663CC29C1FE7A436810C79CAB8F52474133B") or
androguard.certificate.sha1("159B4F6C03D43F27339E06ABFD2DE8D8D65516BC") or
androguard.certificate.sha1("3EEE4E45B174405D64F877EFC7E5905DCCD73816") or
androguard.certificate.sha1("9CE815802A672B75C078D920A5D506BBBAC0D5C9") or
androguard.certificate.sha1("C4CF31DBEF79393FD2AD617E79C27BFCF19EFBB3") or
androguard.certificate.sha1("2125821BC97CF4B7591E5C771C06C9C96D24DF8F")
//97257C6D8F6DA60EA27D2388D9AE252657FF3304 this certification could be stolen
//03EA873D5D13707B0C278A0055E452416054E27B this certification could be stolen
//B8D5E3F0BCAD2EB03BB34AEE2B3F63FC5162C56B this certification could be stolen
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: System Update or Patching Job
Description: A legitimate system update or patching job may include APK files that are signed with certificates similar to those associated with hackingteam.
Filter/Exclusion: Exclude APK files signed by known enterprise update servers (e.g., signature = "enterprise-update-signing-certificate").
Scenario: Mobile Device Management (MDM) Tool Deployment
Description: MDM tools like Microsoft Intune, Jamf, or MobileIron may distribute APK files that include certificates used for device management, which could resemble hackingteam certificates.
Filter/Exclusion: Exclude APK files associated with MDM tools by checking the file_name or process_name fields (e.g., file_name contains "intune" or process_name contains "mobileiron").
Scenario: Scheduled Backup Job
Description: A scheduled backup job might transfer APK files from a device to a server, which could include certificates that match those of hackingteam.
Filter/Exclusion: Exclude files transferred by backup processes using process_name contains "backup" or process_name contains "rsync".
Scenario: Admin Tool or Script Execution
Description: An admin may use tools like ADB (Android Debug Bridge) or Fastboot to push APK files to devices for testing or configuration, which could include certificates that trigger the rule.
Filter/Exclusion: Exclude APK files associated with admin tools by checking the process_name field (e.g., process_name contains "adb" or process_name contains "fastboot").
Scenario: Email Client Certificate Verification
Description: Email clients like Microsoft Outlook or Thunderbird may verify certificates during secure email communication, which could include certificates similar to those used by hackingteam.
*Filter/