Hackers have replaced traditional malware with their own development.
Cisco Talos report that human rights defenders in Morocco and the Western Sahara region have become the target of a new phishing campaign aimed at identity theft. The cybercrime cluster was named Starry Addax. The main targets of the attacks are activists associated with the Sahrawi Arab Democratic Republic (SADR).
The Starry Addax framework is aimed at Android and Windows users. The campaign features phishing emails that encourage victims to install the Sahara Press Service mobile app or other regional-related decoys. Depending on the victim's operating system, they are prompted to download a malicious APK or go to a fake social media login page.
The campaign uses a new Android virus called FlexStarling, which can steal sensitive information and download additional malicious components. After installation, the virus requests many permissions from the victim, which allows the program to perform malicious actions, including receiving commands from the C2 server.
Talos emphasizes that such campaigns are usually designed for a long-term hidden presence in the device. The entire infrastructure, from malware to C2 servers, is designed specifically for this campaign, which indicates the desire of attackers to act unnoticed.
Campaign Timeline
Starry Addax, having created its own arsenal of tools and infrastructure for attacking activists, refuses to use commercially available spyware. The campaign is still in its early stages, but FlexStarling's infrastructure and malware are considered ready to launch targeted attacks on activists in North Africa. The creation of data points, C2 servers, and malware development from the beginning of January 2024 indicates the rapid development of the Starry Addax infrastructure for attacks on high-value individuals.
Cisco Talos report that human rights defenders in Morocco and the Western Sahara region have become the target of a new phishing campaign aimed at identity theft. The cybercrime cluster was named Starry Addax. The main targets of the attacks are activists associated with the Sahrawi Arab Democratic Republic (SADR).
The Starry Addax framework is aimed at Android and Windows users. The campaign features phishing emails that encourage victims to install the Sahara Press Service mobile app or other regional-related decoys. Depending on the victim's operating system, they are prompted to download a malicious APK or go to a fake social media login page.
The campaign uses a new Android virus called FlexStarling, which can steal sensitive information and download additional malicious components. After installation, the virus requests many permissions from the victim, which allows the program to perform malicious actions, including receiving commands from the C2 server.
Talos emphasizes that such campaigns are usually designed for a long-term hidden presence in the device. The entire infrastructure, from malware to C2 servers, is designed specifically for this campaign, which indicates the desire of attackers to act unnoticed.
Campaign Timeline
Starry Addax, having created its own arsenal of tools and infrastructure for attacking activists, refuses to use commercially available spyware. The campaign is still in its early stages, but FlexStarling's infrastructure and malware are considered ready to launch targeted attacks on activists in North Africa. The creation of data points, C2 servers, and malware development from the beginning of January 2024 indicates the rapid development of the Starry Addax infrastructure for attacks on high-value individuals.
