Spyware attributed to pro-Houthi hackers used against militaries across Middle East
2024-7-9 20:31:27 Author: therecord.media(查看原文) 阅读量:5 收藏

Surveillance technology deployed by allies of a Yemeni Shia Islamist organization has been used to target militaries across the Middle East since 2019, new research shows.

A Houthi-aligned threat actor used malware referred to as GuardZoo to collect photos, documents and other files stored on infected devices, researchers at mobile security firm Lookout said in a report Tuesday.

According to unsecured command and control server logs, most of the roughly 450 victims were located in Yemen, Saudi Arabia, Egypt and Oman with a smaller number found in the United Arab Emirates, Turkey and Qatar.

The Houthis took control of Yemen’s capital city in 2014, leading to a civil war and famine. Human rights groups have reported that beginning in June 2019 a controversial Saudi-led intervention there sparked a wave of arbitrary arrests, torture and enforced disappearances.

The attribution to the Houthi-aligned threat actor was made via “application lures, exfil data, targeting and the C2 infrastructure location,” according to the report.

The surveillance tool is named after a piece of source code that persistently clings to an infected device, Lookout said. In addition to stealing photos and documents, it also can “coordinate data files related to marked locations, routes and tracks,” the report said, and is able to identify an infected device’s location, model, cellular service carrier and Wi-Fi configuration.

GuardZoo also can download and install “arbitrary applications on the device – indicating it can

introduce new invasive capabilities as long as the device is infected,” the report said.

The spyware has mainly been found in military-themed applications, Lookout said, and distribution and infections have largely originated in WhatsApp, WhatsApp Business and through browser downloads. In a minority of other cases, victims were lured by content containing a religious-themed prayer app or an e-book theme.

GuardZoo was first discovered by researchers in October 2022. Lookout says the tool is based on a “commodity spyware” named Dendroid RAT, which has been in use for at least a decade.

Upon infecting a device, GuardZoo connects to the command and control and defaults to sending four commands to every new victim, including to deactivate local logging and upload metadata for all files.

“These extensions are related to maps, GPS and markings showing waypoints, routes and tracks,” Lookout’s report said.

Although lures for GuardZoo were originally general, they’ve evolved to include military themes with titles like “Constitution Of The Armed Forces” and “Restructuring Of The New Armed Forces." Emblems for the militaries of various Middle Eastern countries, including Yemen and Saudi Arabia, appeared on military apps used as a lure.

App lures also used military emblems from different countries such as the Yemen Armed Forces and Command and Staff College of the Saudi Armed Forces. 

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

文章来源: https://therecord.media/pro-houthi-hackers-yemen-spyware-middle-east-militaries