Military personnel from Middle East countries are the target of an ongoing surveillanceware operation that delivers an Android data-gathering tool called GuardZoo.
The campaign, believed to have commenced as early as October 2019, has been attributed to a Houthi-aligned threat actor based on the application lures, command-and-control (C2) server logs, targeting footprint, and the attack infrastructure location, according to Lookout.
More than 450 victims have been impacted by the malicious activity, with targets located in Egypt, Oman, Qatar, Saudi Arabia, Turkey, the U.A.E., and Yemen. Telemetry data indicates that most of the infections have been recorded in Yemen.
GuardZoo is a modified version of an Android remote access trojan (RAT) named Dendroid RAT that was first discovered by Broadcom-owned Symantec in March 2014. The entire source code associated with the crimeware solution was leaked later that August.
Originally marketed as a commodity malware for a one-off price of $300, it comes with capabilities to call a phone number, delete call logs, open web pages, record audio and calls, access SMS messages, take and upload photos and videos, and even initiate an HTTP flood attack.
“However, many changes were made to the code base in order to add new functionalities and remove unused functions,” Lookout researchers Alemdar Islamoglu and Kyle Schmittle said in a report shared with The Hacker News. “GuardZoo doesn’t use the leaked PHP web panel from Dendroid RAT for Command and Control (C2) but instead uses a new C2 backend created with ASP.NET.”
Attack chains distributing GuardZoo leverage WhatsApp and WhatsApp Business as distribution vectors, with the initial infections also taking place via direct browser downloads. The booby-trapped Android apps bear military and religious themes to entice users into downloading them.
The updated version of the malware supports more than 60 commands that allow it to fetch additional payloads, download files and APKs, upload files (PDF, DOC, DOCX, XLX, XLSX, and PPT), and images, change C2 address, and terminate, update, or delete itself from the compromised device.
“GuardZoo has been using the same dynamic DNS domains for C2 operations since October 2019,” the researchers said. “These domains resolve to IP addresses registered to YemenNet and they change regularly.”