Carding Forum
Professional
The Houthis, it turns out, can not only go to war, but also navigate cyberspace quite well.
Lookout researchers have uncovered an ongoing spyware operation called GuardZoo targeting military personnel across the Middle East.
According to recerchers, the campaign, which allegedly began in October 2019, is attributed to a group associated with the Houthis. Attribution is based on bait analysis, C2 logs, target range, and the location of the attack infrastructure.
Malicious activity has affected more than 450 victims from Egypt, Oman, Qatar, Saudi Arabia, Turkey, the United Arab Emirates and Yemen, where according to telemetry data, the largest number of infections was recorded.
GuardZoo is a modified version of RAT for Android called Dendroid RAT, which was first discovered by Symantec in March 2014. The entire source code associated with this malware was published later in August.
Originally marketed as malware for $ 300, GuardZoo has the capabilities to make calls, delete call logs, open web pages, record audio conversations, access SMS messages, take and upload photos and videos, and even initiate HTTP flooding.
However, many changes were made to the code base in terms of adding new functionality.
At the same time, GuardZoo does not use the leaked PHP web dashboard from Dendroid RAT for C2, but uses the new C2 backend created using ASP.NET.
Attack chains include private WhatsApp messages to distribute GuardZoo in the form of APK files, or direct downloads of Trojan Android apps from the browser via a link.
The updated version of the malware supports more than 60 commands that allow it to extract additional useful data, deliver files and APKs, steal data, images and map files from the victim's devices, change C2, shut down, update or delete from the device.
GuardZoo has been using the same dynamic DNS domains for C2 operations since October 2019 with different IP addresses from YemenNet.
Researchers believe that GuardZoo is used to collect both tactical and strategic military intelligence that can be used to benefit operations conducted by the Houthis.
Lookout researchers have uncovered an ongoing spyware operation called GuardZoo targeting military personnel across the Middle East.
According to recerchers, the campaign, which allegedly began in October 2019, is attributed to a group associated with the Houthis. Attribution is based on bait analysis, C2 logs, target range, and the location of the attack infrastructure.
Malicious activity has affected more than 450 victims from Egypt, Oman, Qatar, Saudi Arabia, Turkey, the United Arab Emirates and Yemen, where according to telemetry data, the largest number of infections was recorded.
GuardZoo is a modified version of RAT for Android called Dendroid RAT, which was first discovered by Symantec in March 2014. The entire source code associated with this malware was published later in August.
Originally marketed as malware for $ 300, GuardZoo has the capabilities to make calls, delete call logs, open web pages, record audio conversations, access SMS messages, take and upload photos and videos, and even initiate HTTP flooding.
However, many changes were made to the code base in terms of adding new functionality.
At the same time, GuardZoo does not use the leaked PHP web dashboard from Dendroid RAT for C2, but uses the new C2 backend created using ASP.NET.
Attack chains include private WhatsApp messages to distribute GuardZoo in the form of APK files, or direct downloads of Trojan Android apps from the browser via a link.
The updated version of the malware supports more than 60 commands that allow it to extract additional useful data, deliver files and APKs, steal data, images and map files from the victim's devices, change C2, shut down, update or delete from the device.
GuardZoo has been using the same dynamic DNS domains for C2 operations since October 2019 with different IP addresses from YemenNet.
Researchers believe that GuardZoo is used to collect both tactical and strategic military intelligence that can be used to benefit operations conducted by the Houthis.
