Analysis Summary

A continuous surveillanceware operation that distributes an Android data-gathering malware called GuardZoo is targeting military personnel from several Middle Eastern nations.

Based on the application lures, targeted footprint, command-and-control (C2) server logs, and attack infrastructure location, the campaign—which is thought to have started as early as October 2019—has been linked to a threat actor with Houthi alignment, according to researchers.

With targets in Egypt, Oman, Qatar, Saudi Arabia, Turkey, the United Arab Emirates, and Yemen, the malicious activity has affected over 450 people. According to telemetry data, Yemen has been the site of most infection reports. Researchers originally identified Dendroid RAT, an Android remote access trojan (RAT), in March 2014. GuardZoo is a modified variant of this malware. Later that August, the whole source code for the malware solution was made public.

To add new functionality and eliminate outdated ones, numerous changes have to be made to the code base. GuardZoo's command-and-control (C2) system is based on a new ASP.NET C2 backend, not the compromised PHP web panel from Dendroid RAT. Attack chains dispersing GuardZoo use WhatsApp and WhatsApp Business as their distribution channels, and direct browser downloads are also how the initial infections happen. The military and religious themes of the booby-trapped Android apps are meant to lure users into downloading them.

The malware has been modified to handle over 60 instructions, which enable it to download files and APKs, upload files (PDF, DOC, DOCX, XLX, XLSX, and PPT), modify the C2 address, fetch more payloads, and terminate, update, or remove itself from the infected device. Since October 2019, GuardZoo has operated C2 using the same dynamic DNS domains. These domains resolve to YemenNet-registered IP addresses, which are updated regularly.

Impact

• Cyber Espionage
• Unauthorized Access
• Sensitive Data Theft

Remediation

• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.