GuardZoo is a surveillanceware targeting military personnel in Middle Eastern countries, attributed to a Yemeni Houthi-aligned group. The malware, based on Dendroid RAT, utilizes military themes for luring victims and continues to be an active threat as of 2023. Major targeted countries include Yemen, Saudi Arabia, Egypt, and Oman. Affected: Yemen, Saudi Arabia, Egypt, Oman, United Arab Emirates, Turkey, Qatar
Keypoints :
- GuardZoo is a surveillanceware discovered by Lookout researchers in October 2022.
- The malware is based on Dendroid RAT, known for its capabilities since 2014.
- Targeting primarily military personnel from Yemen, Saudi Arabia, Egypt, and Oman.
- GuardZoo uses military-themed lures, alongside other themes like religion.
- This malware has been actively used since October 2019.
- Lookout has reported the findings to Google, which found no affected apps on Google Play.
- GuardZoo communicates with a C2 server via HTTPS with cleartext data in the request body.
- It has the capability to dynamically load external DEX files from the C2 server.
- Victim IPs are primarily from Middle Eastern countries, especially Yemen.
- The C2 server was traced back to the United Arab Emirates, raising attribution concerns.
MITRE Techniques :
- Command and Control (T1071.001) – GuardZoo communicates with its C2 using HTTPS over dynamically assigned domains with commands sent in cleartext.
- Data Obfuscation (T1027) – The malware dynamically loads updated DEX files to evade detection by security measures.
- Credential Dumping (T1003) – The malware uploads files such as those with KMZ, WPT, RTE, and TRK extensions related to maps and GPS.
- Infection Vector (T1180) – Initial infections were observed through WhatsApp and browser downloads.
Indicator of Compromise :
- [SHA-256] d34cd64dea64f1e29534f10c7fe3d504d5d7d825c441fd2fb3b81c2cb56c597
- [C2 Server] wwwgoogl[.]zapto[.]org
- [C2 Server] somrasdc[.]ddns[.]net
Full Story: https://www.lookout.com/threat-intelligence/article/guardzoo-houthi-android-surveillanceware