Military personnel in the Middle East region are under surveillance by an ongoing operation that introduces an Android data-collecting tool known as GuardZoo.
The operation, which is suspected to have begun around October 2019, has been linked to a group associated with the Houthi movement based on various factors such as the app’s features, server logs, target distribution, and the location of the attack infrastructure, as per findings by Lookout.
More than 450 individuals have fallen victim to this malicious scheme, with targets hailing from countries like Egypt, Oman, Qatar, Saudi Arabia, Turkey, the U.A.E., and Yemen. Data analysis shows that most of the infections have been detected in Yemen.
GuardZoo is an altered edition of an Android remote access tool (RAT) called Dendroid RAT that was initially detected by Symantec under Broadcom’s ownership back in March 2014. The source code for this malware solution was completely leaked later in August that same year.
Originally promoted as a commercial malware available for a one-time fee of $300, it allows various operations such as making calls, erasing call records, browsing web pages, recording audio and calls, viewing SMS messages, capturing and uploading photos and videos, and initiating an HTTP flood attack.
According to a report by Lookout researchers Alemdar Islamoglu and Kyle Schmittle shared with The Hacker News, “GuardZoo has been substantially modified from the original Dendroid RAT, with new functionalities added and redundant features removed. GuardZoo employs a fresh ASP.NET-based backend for Command and Control (C2) operations instead of the leaked PHP web panel utilized by Dendroid RAT.”
The attack vectors for GuardZoo involve the utilization of WhatsApp and WhatsApp Business as distribution mediums, while the initial infections also occur through direct browser downloads. The infected Android applications disguise themselves with military and religious themes to deceive users into downloading them.
The updated variant of GuardZoo boasts more than 60 commands, enabling it to conduct a range of actions like retrieving additional payloads, downloading files and APKs, uploading different types of files (PDF, DOC, DOCX, XLX, XLSX, and PPT), images, altering C2 addresses, and self-terminating, updating, or deleting from the compromised device.
“GuardZoo has been active since October 2019 using a common set of dynamic DNS domains for its Command and Control operations,” the researchers mentioned. “These domains are consistently linked to IP addresses owned by YemenNet and are subject to frequent changes.”
About Author
