Military personnel from Middle Eastern countries are the target of an ongoing surveillance operation that provides an Android data collection tool called GuardZoo.
The companywhich is believed to have started back in October 2019, has been attributed to a Houthi threat actor based on application decoys, command and control (C2) server logs, target footprint and the location of the attack infrastructure, according to Lookout.
More than 450 victims have been affected by the malicious activity, with targets located in Egypt, Oman, Qatar, Saudi Arabia, Turkey, UAE and Yemen. Telemetry data shows that most of the infections are in Yemen.
GuardZoo is a modified version of the Android Remote Access Trojan (RAT) called Dendroid RAT, which was first discovered by Broadcom-owned Symantec in March 2014. All source code associated with the malware solution was leaked out later in August.
Originally sold as a commercial malware for a one-time price of $300, it comes with the ability to call a phone number, delete call logs, open web pages, record audio and calls, access SMS messages, take and upload photos and videos, and even initiate HTTP flood attack.
“However, many changes were made to the codebase to add new functionality and remove unused features,” Lookout researchers Alemdar Islamoglu and Kyle Schmitl said in a report shared with The Hacker News. “GuardZoo does not use the leaked PHP web panel from Dendroid RAT for command and control (C2), but instead uses a new C2 backend built with ASP.NET.”
The attack chains that distribute GuardZoo use WhatsApp and WhatsApp Business as distribution vectors, with initial infection also occurring via direct browser downloads. Mined Android apps have military and religious themes to encourage users to download them.
The updated version of the malware supports more than 60 commands that allow you to receive additional payloads, download files and APKs, upload files (PDF, DOC, DOCX, XLX, XLSX, and PPT) and images, change the C2 address, and terminate. , update or remove yourself from the jailbroken device.
“GuardZoo has been using the same dynamic DNS domains for C2 operations since October 2019,” the researchers said. “These domains identify the IP addresses registered with YemenNet and they change regularly.”
