July 9, 2024 at 07:07AM
Ongoing surveillanceware operation targets military personnel in Middle East with Android data-gathering tool GuardZoo. More than 450 victims impacted, mainly in Yemen. GuardZoo, a modified version of Dendroid RAT, has over 60 commands and uses WhatsApp for distribution. It has been using the same dynamic DNS domains for C2 operations since October 2019.
From the meeting notes, it is clear that military personnel from Middle East countries have been targeted by an ongoing surveillanceware operation, delivering an Android data-gathering tool called GuardZoo. The campaign, attributed to a Houthi-aligned threat actor, has impacted over 450 victims primarily in Yemen, with targets in other countries including Egypt, Oman, Qatar, Saudi Arabia, Turkey, and the U.A.E.
GuardZoo, a modified version of the Android remote access trojan (RAT) named Dendroid RAT, has been distributed through WhatsApp and WhatsApp Business and via direct browser downloads. The malware includes over 60 commands that allow it to fetch additional payloads, download files, upload files and images, change C2 address, and terminate, update, or delete itself from the compromised device.
The researchers noted that GuardZoo has been using the same dynamic DNS domains for C2 operations since October 2019, with these domains resolving to IP addresses registered to YemenNet and regularly changing. The article also mentions that GuardZoo booby-trapped Android apps use military and religious themes to entice users into downloading them.
These meeting notes provide significant details about the ongoing surveillanceware operation targeting military personnel in the Middle East and the distribution and capabilities of the GuardZoo malware.