Old Koler.A domains examples

Hunt Hypothesis

The detection identifies potential reuse of historical Koler.A domains, which may indicate adversary persistence or re-targeting of previously compromised assets. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover lingering threats and prevent re-infection of previously secured systems.

YARA Rule

rule koler_domains : android
{
	meta:
 		author = "https://twitter.com/jsmesa"
		reference = "https://koodous.com/"
		description = "Old Koler.A domains examples"
		sample = "2e1ca3a9f46748e0e4aebdea1afe84f1015e3e7ce667a91e4cfabd0db8557cbf"

	condition:
		cuckoo.network.dns_lookup(/police-scan-mobile.com/) or
		cuckoo.network.dns_lookup(/police-secure-mobile.com/) or
		cuckoo.network.dns_lookup(/mobile-policeblock.com/) or
		cuckoo.network.dns_lookup(/police-strong-mobile.com/) or
		cuckoo.network.dns_lookup(/video-porno-gratuit.eu/) or
		cuckoo.network.dns_lookup(/video-sartex.us/) or 
		cuckoo.network.dns_lookup(/policemobile.biz/)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using rsync
  Description: A scheduled backup job using rsync may temporarily connect to a domain associated with Koler.A due to a misconfigured backup script or a third-party tool that uses a hardcoded domain for logging or metrics.
  Filter/Exclusion: Exclude connections made by rsync processes with a command line containing --backup or --exclude flags, or from a known backup user (e.g., backup or root).

• Scenario: DNS Monitoring Tool Polling
  Description: A DNS monitoring tool like dnschecker.org or dnsmasq may periodically query domains for availability checks, which could match the Koler.A domain pattern.
  Filter/Exclusion: Exclude DNS queries originating from the DNS monitoring tool’s IP range or from processes named dnschecker, dnsmasq, or nslookup.

• Scenario: Admin Task for Certificate Renewal
  Description: An administrator may use a tool like certbot or Let's Encrypt CLI to renew SSL certificates, which may involve connecting to a domain that matches the Koler.A pattern during validation.
  Filter/Exclusion: Exclude connections from processes named certbot, certbot-renew, or from the user account used for certificate management (e.g., certbot or root).

• Scenario: Log Aggregation with Fluentd or Logstash
  Description: A log aggregation system like Fluentd or Logstash may use a domain for sending logs to a centralized server, and if the domain is misconfigured or matches the Koler.A pattern, it could trigger the rule.
  Filter/Exclusion: Exclude connections from Fluentd or Logstash processes, or from the specific log forwarding server IP or domain.

• **Scenario: Legacy Application Using Hard