hacker group called oil alpha Suspected links to Yemen’s Houthi movement have been linked to cyber espionage targeting development, humanitarian aid, the media, and non-governmental organizations in the Arabian Peninsula.
“OilAlpha leveraged encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets,” cybersecurity firm Recorded Future said in a technical report published Tuesday.
“URL link shorteners were also used. Damage research indicated that the majority of the targeted organizations spoke Arabic and operated Android devices.”
OilAlpha is the new cryptographic name that Recorded Future has given to two overlapping clusters that the company has been tracking under the names TAG-41 and TAG-62 since April 2022. TAG-XX, short for Threat Activity Group, is a temporary nickname assigned to the new threat. group.
An assessment that the adversaries are acting in the interests of the Houthi movement comes from the Public Telecommunications Corporation (PTC), a telecommunications service provider in Yemen where the infrastructure used in the attack is almost exclusively under Houthi control. based on the fact that it is related to
That said, continued use of PTC assets does not exclude the possibility of compromise by unknown third parties. However, Recorded Future noted that it found no evidence to support this speculation.
Another factor is that malicious Android-based applications may be used to monitor representatives involved in Saudi government-led negotiations. These apps mimicked organizations affiliated with the Saudi government and UAE humanitarian organizations.
The attack chain allows potential targets such as political representatives, media personalities, and journalists to masquerade the app as belonging to UNICEF, NGOs, and other relief groups, and use Saudi phone numbers to download APK files directly from their WhatsApp accounts. It starts with receiving
These apps act as a conduit for dropping a remote access Trojan called SpyNote (aka SpyMax), which has a rich set of features for retrieving sensitive information from infected devices.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
“Due to the high saturation of Android devices in the Arabian Peninsula region, it is not surprising that OilAlpha’s focus is on targeting Android devices,” Recorded Future said.
The cybersecurity firm also said it observed samples of njRAT (aka Bladabindi) communicating with command and control (C2) servers associated with the group, at the same time that the firm used desktop malware in its operations. said to indicate that
“Oil Alpha launched the attack on the orders of its backers, namely Yemen’s Houthi rebels,” theorized. “OilAlpha may be directly affiliated with the sponsoring company, or it may operate like a contracting party.”
“Although Oil Alpha’s operations are pro-Houthi, there is insufficient evidence to suggest that Yemeni agents are involved in this threat operation. Or even Iranian operatives supporting the Revolutionary Guard may have spearheaded this threat activity.”
