Military personnel from Middle Eastern countries are the target of an ongoing surveillance ware operation that provides an Android data collection tool. Guard zoo.

gave campaignThe attack, which is believed to have started in early October 2019, has been attributed to a Houthi-linked threat actor based on application decoys, command and control (C2) server logs, target footprint, And the attack infrastructure is in place, according to Lookout.

More than 450 victims have been affected by the malicious activity, with targets in Egypt, Oman, Qatar, Saudi Arabia, Turkey, United Arab Emirates and Yemen. Telemetry data suggests that most of the infections have been recorded in Yemen.

Cyber ​​security

GuardZoo is a modified version of an Android Remote Access Trojan (RAT) formerly known as Dendroid RAT. First discovered By Broadcom-owned Symantec in March 2014. There was the entire source code associated with the crimeware solution Leak After that August

Actually marketing as one Commodity malware For a one-way price of $300, it can call phone numbers, delete call logs, open web pages, record audio and calls, access SMS messages, take and upload photos and videos, and even Comes with startup capabilities. HTTP flood attack.

“However, many changes were made to the codebase to add new functionalities and remove unused functions,” Lookout researchers Ilamdar Islam Oglu and Kyle Schmitl said in a report shared with The Hacker News. . “GuardZoo does not use the PHP web panel leaked from the Dendroid RAT for command and control (C2) but instead uses a new C2 backend built with ASP.NET.”


Attack chains distributing Guard Zoo leverage WhatsApp and WhatsApp Business as distribution vectors, with initial infections also occurring through direct browser downloads. Bobby Trapped Android apps have military and religious themes to entice users to download them.

“We observed Guard Zoo split in two different ways,” Islam Oglu told The Hacker News. “First, the threat actor sends the APK file directly to the target through private chat applications (Whatsapp, Whatsapp Business) using the file sending capability of chat applications.”

“Otherwise, the threat actor uploads the file to an Internet-accessible server and then shares the link with the target in hopes that the target will download and install the APK file.”

The updated version of the malware supports more than 60 commands that allow it to fetch additional payloads, download files and apps, download files (PDF, DOC, DOCX, XLX, X LSX, and PPT) and allows uploading images, changing C2 addresses, and deleting files. , update, or delete yourself from the compromised device.

Android malware also has functionality to upload all files with extensions. KMZ, WPT, RTE, and TRKeach of which corresponds to mapping and CompeGPS data that shows route routes, routes and tracks.

Cyber ​​security

“GuardZoo has been using the same dynamic DNS domain for C2 operations since October 2019,” the researchers said. “These domains resolve to IP addresses registered on Yemennet and they change regularly.”

gave The Houthis – a militant group that Controls Sana’a and northwest Yemen. – has adopted cyber capabilities in its arsenal in recent years. In May 2023, recorded futures revealed A mobile spying campaign carried out by a hacking group associated with the movement used WhatsApp to deploy an Android malware known as SpyNote (aka SpyMax).

“Guard Zoo’s design is specifically focused on stealing images, documents and mapping files from victims’ devices, and has been used in the past to successfully steal sensitive military documents,” Islamoglu said. “

“The mapping files in particular are not commonly collected in similar spyware used by other threat actors, and indicate that the threat actor’s military movements are interested in tracking which are possibly being recorded in navigation applications. This suggests that Guard Zoo is being used to gather both tactical and strategic military intelligence Other operations by the Houthis can be leveraged.”


A Google spokesperson shared the following statement with The Hacker News:Google Play Protect Warns users, blocks apps and automatically uninstalls apps that contain this malware on Android devices with Google Play Services, even when those apps are from sources outside of Play Come on.”

(The story was updated after publication to include additional comments from Lookout and Google.)

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.

Source link