Houthi-related Cyber Threats Target Arab Android Users
Hacking group dubbed OilAlpha with alleged ties to Yemen Houthi movement has been linked to cyber espionage campaigns targeting development, humanitarian, media and non-governmental organizations in the Arabian peninsula.
“OilAlpha uses encrypted chat messengers such as WhatsApp to launch social engineering attacks against its targets,” cybersecurity firm Recorded Future said in a technical report published Tuesday.
“It also uses a URL link shortener. According to a victimology assessment, it appears that the majority of the targeted entities are Arabic speakers and operate Android devices.”
OilAlpha is the new cryptonym assigned by Recorded Future to two overlapping clusters previously tracked by the company under the names TAG-41 and TAG-62 since April 2022. TAG-XX (short for Threat Activity Group) is the temporary moniker assigned to threats group appears.
The assessment that the enemy is acting in the interests of the Houthi movement is based on the fact that the infrastructure used in the attacks is almost exclusively linked to the Public Telecommunication Corporation (PTC), the Yemeni telecommunications service provider. under Houthi control.
Nonetheless, the continued use of PTC assets does not rule out the possibility of compromise by unknown third parties. Future Recorded, however, noted that it found no evidence to support this line of reasoning.
Another factor is the use of Android-based malicious applications to possibly monitor the associated delegation The negotiations are led by the Saudi Arabian government. This app impersonates entities associated with the government of Saudi Arabia and humanitarian organizations in the UAE
The attack chain starts with potential targets – political representatives, media personalities and journalists – receiving APK files directly from WhatsApp accounts using Saudi Arabian phone numbers by disguising the app as their own. UNICEFNGOs, and other aid organizations.
The apps, for their part, act as conduits for dropping a remote access trojan called SpyNote (aka SpyMax) that comes with a lot of features to capture sensitive information from infected devices.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
“OilAlpha’s focus on targeting Android devices is not surprising given the high saturation of Android devices in the Arabian Peninsula,” said Recorded Future.
The cybersecurity firm said it also observed samples of njRAT (aka Bladabindi) communicating with a command-and-control (C2) server associated with the group, indicating that it was concurrently using desktop malware in its operations.
“OilAlpha launched its attack on the orders of the sponsoring entity, namely the Yemeni Houthis,” the theory goes. “OilAlpha can be directly affiliated with its sponsoring entity, or it can operate like a contractor.”
“Although OilAlpha’s activities are pro-Houthi, there is insufficient evidence to suggest that Yemeni operations are responsible for this threat activity. External threat actors such as Lebanese or Iraqi Hezbollah, or even Iranian operatives supporting the IRGC, may have led this threat activity.”
