Houthi-Aligned APT Targets Mideast Militaries With 'GuardZoo' Spyware

A threat actor which may be aligned with Houthi rebels in Yemen has been spying on military targets throughout the Middle East for half a decade now.

Their weapon of war: a custom Android surveillanceware called "GuardZoo." GuardZoo seems to have been used to steal potentially valuable intelligence relating to the actor's military enemies, including official documents, photos, and data relating to troop locations and movements.

The GuardZoo Campaign

GuardZoo attacks begin with malicious links distributed on WhatsApp and WhatsApp Business.

The links lead to fake apps hosted outside of the Google Play store. Some pertain to generic themes — like "The Holy Quran," and "Locate Your Phone" — but most are military-oriented — "Art of War," "Constitution of the Armed Forces," and those relating to specific organizations like the Yemen Armed Forces, and the Saudi Armed Forces' Command and Staff College.

These various apps all deliver the GuardZoo malware.

GuardZoo's fake apps; Source: Lookout

GuardZoo is essentially the leaked "Dendroid RAT" with some of the fat removed, and retrofitted with dozens of commands fitting its proprietor's spying needs. That may partly explain why the campaign, which dates back to October 2019, is only now coming to light. "If somebody uses the same tooling as as many other actors, then they can fly [under the radar] simply because they don't stick out," explains Christoph Hebeisen, Lookout director of security intelligence research.

Upon infection, GuardZoo's first actions always involve disabling local logging, and exfiltrating all the victim's files in the past seven years that match KMZ, WPT (waypoint), RTE (route), and TRK (track) file extensions. Notably, these extensions all relate to GPS and mapping apps.

The malware can also facilitate the download of further malware, read information about the victim's machine — like its model, cell service provider, and connection speed — and more.

Middle East Military Targets

To Hebeisen, "One thing that strongly indicates to us that it's military targeting [is] the hardcoded file extensions that are very mapping-related. That targeting, to me, indicates — given that they are involved in a military conflict — that they are likely looking for tactical information from the enemy."

The majority of the 450 affected IP addresses observed by Lookout were concentrated in Yemen, though they spanned Saudi Arabia, Egypt, the United Arab Emirates, Turkey, Qatar, and Oman as well.

The Houthi connection, specifically, is strengthened by the location of the malware's command-and-control (C2) server. "It uses dynamic IP addresses, but with a telco provider that operates in a Houthi-controlled area. It's a physical server — we got the serial number, and could actually trace it — and you likely wouldn't want to place a physical server in enemy territory," Hebeisen reasons.

Relative to the significance of its targets, actually defending against this campaign is quite simple. In a press release, Lookout emphasized the need for Android users to avoid apps hosted outside of Google Play, always keep their apps up to date, and be wary of excess permissions.