Since 2019, surveillance equipment deployed by a Yemeni Shia Islamist organization's partners has been used to target troops throughout the Middle East, according to a new study.
Surveillanceware Targeting Middle Eastern Militaries
A Houthi-aligned threat actor utilized GuardZoo malware to capture images, documents, and other files from compromised devices, according to Lookout researchers in a report released Tuesday.
According to unsecured command and control server logs, the majority of the approximately 450 victims were found in Yemen, Saudi Arabia, Egypt, and Oman, with a tiny number in the United Arab Emirates, Turkey, and Qatar.
The Houthis took possession of Yemen's capital city in 2014, sparking a civil conflict and hunger. According to human rights organizations, a contentious Saudi-led intervention in Yemen began in June 2019 and resulted in a wave of arbitrary arrests, torture, and enforced disappearances.
The Houthi-aligned threat actor was identified by "application lures, exfil data, targeting, and the C2 infrastructure location," according to the report.
The Origins
According to Lookout, the spying tool is named after a fragment of source code that persists on an infected device. In addition to collecting images and documents, the study stated that it can "coordinate data files related to marked locations, routes, and tracks," as well as identify an infected device's location, model, cellular service carrier, and Wi-Fi setup.
GuardZoo can also download and install "arbitrary applications on the device," implying it can offer more destructive abilities once the gadget is infected," according to the paper.
Technical Details
According to Lookout, the spyware has been detected primarily in military-themed applications, with distribution and infections originating primarily in WhatsApp, WhatsApp Business, and browser downloads. In a few other cases, victims were enticed by content with a religious-themed prayer app or an e-book theme.
Researchers initially found GuardZoo in October 2022. Lookout claims the tool is based on Dendroid RAT, a "commodity spyware" that has been in use for at least a decade.
Capabilities
After infecting a device, GuardZoo communicates to the command and control server and sends four commands to each new victim, including deactivating local logging and uploading metadata for all files.
"These extensions are related to maps, GPS and markings showing waypoints, routes and tracks," according to Lookout's findings.
GuardZoo's lures were originally general, but they've evolved to include military themes with titles like "Constitution Of The Armed Forces" and "Restructuring Of The New Armed Forces." Military apps used as a lure featured emblems from numerous Middle Eastern countries, including Yemen and Saudi Arabia.
Operational Impact
After infecting a device, GuardZoo communicates to the command and control server and sends four commands to each new victim, including deactivating local logging and uploading metadata for all files.
"These extensions are related to maps, GPS and markings showing waypoints, routes and tracks," according to Lookout's findings.
GuardZoo's lures were originally general, but they've evolved to include military themes with titles like "Constitution Of The Armed Forces" and "Restructuring Of The New Armed Forces." Military apps used as a lure featured emblems from numerous Middle Eastern countries, including Yemen and Saudi Arabia.
