OilAlpha, a likely pro-Houthi group, continues to target humanitarian and human rights groups in Yemen using malicious Android applications to steal credentials and gather intelligence. Notable victims include CARE International, the Norwegian Refugee Council, and the King Salman Humanitarian Aid and Relief Centre (KSRelief); mitigation emphasizes social engineering awareness, strong passwords, and multi-factor authentication. #OilAlpha #InsiktGroup #CAREInternational #NorwegianRefugeeCouncil #KSRelief #CashIncentives.apk
Keypoints
- OilAlpha remains active in Yemen, targeting humanitarian and human rights organizations.
- Victims include CARE International, the Norwegian Refugee Council, and KSRelief.
- A new cluster of malicious Android apps, including Cash Incentives.apk, was found acting as a remote access trojan (RAT).
- Additional malicious apps targeting NRC and CARE International were identified, focusing on credential theft and information gathering.
- OilAlpha operates a credential theft portal at kssnew.online that impersonates humanitarian login pages to harvest credentials.
- Mitigation emphasizes social engineering/anti-phishing awareness, strong passwords, MFA, and verification of messages; threat intelligence tools can aid monitoring.
- The threat may extend beyond Yemen; ongoing monitoring and reporting are recommended.
MITRE Techniques
- [T1056] Input Capture – The Android apps request invasive permissions (camera, audio, SMS, contacts) and function as a remote access trojan (RAT). ‘The app requests invasive permissions, including access to the camera, audio, SMS, contacts, and more.’
- [T1566] Phishing – The credential theft portal impersonates humanitarian organizations’ login pages to harvest credentials. ‘This portal impersonates humanitarian organizations’ login pages, redirecting users to input their credentials, which are then harvested by the attackers.’
Indicators of Compromise
- [File] Malicious Android APK – Cash Incentives.apk, and 2 more unnamed Android apps targeting NRC and CARE International
- [Domain] Credential theft portal domain – kssnew.online
Read more: https://www.recordedfuture.com/research/oilalpha-spyware-used-to-target-humanitarian-aid-groups