Lookout Discovers Houthi Surveillanceware Targeting Middle Eastern Militaries

Notable capabilities

In October 2022, Lookout researchers initially discovered a surveillanceware that is still being used to target military personnel from Middle Eastern countries. The surveillanceware, dubbed GuardZoo by Lookout, is based on a commodity spyware named Dendroid RAT, which Lookout protected against since before 2022. Lookout attributes this activity to a Yemeni Houthi-aligned group based on targeting aligned with Houthi interests. 

The campaign started around October 2019 and is still active at the time of this report. The campaign mostly uses military themes to lure victims, but Lookout researchers also observed that religion and other themes are being used. Yemen, Saudi Arabia, Egypt and Oman are amongst the countries whose militaries have been targeted. The following is a list of applications with acquisition dates and title details.

Lookout reported these findings to Google. Google confirmed that based on its current detection, no apps containing this malware are found to be on Google Play. 

Technical analysis

GuardZoo is based on Dendroid RAT, a commodity spyware which was leaked online in 2014. However, many changes were made to the code base in order to add new functionalities and remove unused functions. GuardZoo doesn’t use the leaked PHP web panel from Dendroid RAT for Command and Control (C2) but instead uses a new C2 backend created with ASP.NET. 

By default, GuardZoo uses two C2 addresses, one primary: https://wwwgoogl.zapto[.]org and a backup: https://somrasdc.ddns[.]net. GuardZoo can receive more than 60 commands from the C2 — most of which are exclusive to Guardzoo and added by the threat actor. The following is a list of notable C2 commands and their functions.

GuardZoo also has the ability to download a DEX file from the C2 and dynamically load it instead of a full APK update. The URL for the latest DEX file is as follows:

<C2 Address>/updateApp?dexfile=classes.dex. 

After downloading the DEX file, it is saved in the “dex” folder inside the app data folder and then the app restarts itself to load the new DEX file. 

This secondary payload was deprecated as of late April 2023, however the code in this secondary DEX is still present within the base application. This could be a way to future proof the app in case the developer decides to go back to its former processes.

Infrastructure

GuardZoo has been using the same dynamic DNS domains for C2 operations since October 2019. These domains resolve to IP addresses registered to YemenNet, which change regularly. All requests to the C2 have the GET parameters “UID”, a unique victim/client ID, and “Password”, a password to verify the authenticity of the request.

‍

When it starts running on an infected device, GuardZoo connects to the C2 to get commands and by default, the C2 sends the following four commands to every new client:

• Upload all files with extensions KMZ, WPT, RTE and TRK that were created since 24 June 2017.
• Set the wait time to 15 minutes if an error occurs during processing.
• Disable local logging
• Upload metadata (name, size, creation and modification dates) for all files.

 These extensions are related to maps, GPS and markings showing waypoints, routes and tracks. 

The communication with the C2 is over HTTPS, however the data inside the request body is in cleartext. The C2 server uses a self-signed HTTPS certificate with the fingerprint “51a35108b7a2c8d4a199d5c872927ee13d66b4a8." Even though the URLs have a “PHP” extension in their paths, the C2 backend is created in ASP.NET and served on IIS 10.  

Targeting

Older samples of GuardZoo from 2019 and 2020 use lures with broader topics such as “Locate Your Phone” and “Anti Touch." More recent samples have military lures such as “Constitution Of The Armed Forces”, “Limited - Commander And Staff” and “Restructuring Of The New Armed Forces." Military themed apps also use military emblems from different countries such as Yemen Armed Forces and Command and Staff College of the Saudi Armed Forces. There is also a religious themed prayer app lure and an e-book themed lure.

Lookout telemetry indicates most of the detections happened in Yemen. The file paths on devices where GuardZoo samples were detected reveal initial infection vectors via WhatsApp, WhatsApp Business and browser download.

‍

According to unsecured C2 server logs dating back to December 2022, victims were mostly located in Yemen, Saudi Arabia, Egypt. Also, few victims were located in Oman, United Arab Emirates, Turkey and Qatar. 

Logs also contained the IP addresses of the victim devices and their mobile carrier details. The table above provides the list of countries and count of unique victim devices derived from IP geolocation and mobile carrier information obtained from unsecured C2 server logs of a single day. IP addresses known to be used by VPN providers and known proxies were omitted. 

Attribution 

‍

‍

Logs also revealed the serial number of the C2 server. Querying this serial number on the manufacturer support website shows that this server was shipped on 18 March 2019 by a distributor in the United Arab Emirates which serves Yemen and nine other countries in the region. There is a possibility that the server might have changed hands before being used for this campaign. However, this is an unlikely case given the relatively small time frame between the purchase date and the start date of the campaign. 

‍

The codebase for the C2 backend is mostly in English, with the exception of the user interface and messages which are in Arabic. The dialect of the Arabic text is Modern Standard Arabic according to the dialect identification component of the CAMeL Tools. The timezone for the project is set to “Asia/Baghdad” which corresponds to GMT+3. 

‍

Some of the log entries indicate devices belonging to Pro-Hadi forces, which is the military branch of the internationally-recognized government temporarily located in Aden. The contents of one exfiltrated document translated to “Very Confidential, Republic of Yemen, Ministry of Defense, Chief of the General Staff, War Operations Department, Insurance division.“

‍

Lookout researchers attribute this campaign to a Yemeni Houthi-aligned threat actor based on the application lures, logs, targeting and the C2 infrastructure location.

Acknowledgements

Special thanks to Justin Albrecht for their contributions to this discovery.

‍

Indicators of Compromise

SHA-256

d34cd64dea64f1e29534f10c7fe3d504d5d7d825c441fd2fb3b81c2cb56c5971

bb09cf4023bca6fe8e854626641df398a3ce484236c650d790af83b5990b5408

3113eed5c125b4c753f6797e50db3320c907eb80c03a9028286ad1bc1c86fe32

54b126aee7055a5160d118b7b9432cac2c75d91df3b7a9d47edb0068191ed8ed

1a049acb067200157a338398a71ffe1982dd4bfac22973e57dfca73e4d4123e7

7cee417674994a0c1c387d2b3b4af334304a8993e55fc2f688132c1b6860ac6e

81538715609924902a292c7c514a2785b319c10153b3ac9aad4961c236e3f3f8

e3745acfe7b016fe1782bca43c48e7a3a0f3b948d901ce600192e688aa13e9a5

499e04f1ac1380a401f9b38de6cd4a137682fd1ce3557f59ed04cbdf5610b86c

1620663c128aa210cea5a8e4f06ecdbedb7b4d4d15c7518771203485cf201808

7537132ec47e75ab54c0acb327ae2c4a26dc4ef9c2f62fff2e4d610e998a6abd

0fbbf5bca438574f5592ac1f548d5d460ddccb4ad6225087a770b47fb717c427

7896090321f7e45882362aaf99b074f74d571ad8147c9f67de453bf2fde4ee60

7ab1ddc92532d11b6d292e013f88e862dbf24f182c3cdbe836528e3a559096cc

a78251a90a67c766e187fb8978bbd58e981fd635e46935a23ad9ecd86695763a

5daac5f8928f6b51a3a6c7dbc18da3d45ca7ae01462d6b405cc2d8aba9ff3a31

d6389c46229e036547cec2f05e122b88f08ac1fb61703ee4e7c59544a72ef605

f87ef459de739b61a3385f3f5d406d830a77b62aae63db147c0a0fb95b8700cd

ccb0c0019be923da82131df1e78897a5cd0d6b88e6d3953f46a70c9d43282af4

09ef4ce410a10a5e412c05c9885a1d59192a318e42cb36a2ea6081c26de3126e

893e083bc3cf54b64fa25d2b25443315c832f0e51de788ad79ad8f5f356540d9

‍

C2 Servers

wwwgoogl[.]zapto[.]org 

somrasdc[.]ddns[.]net