GuardZoo | |
Type of Malware | Trojan |
Date of initial activity | 2019 |
Targeted Countries | Egypt |
Motivation | Cyberwarfare |
Attack Vectors | Phishing |
Targeted Systems | Android |
Overview
GuardZoo is a sophisticated piece of Android surveillanceware identified by Lookout, specifically designed to target military personnel across several Middle Eastern countries, including Yemen, Saudi Arabia, Egypt, and Oman. First detected in October 2019, GuardZoo remains active and continues to evolve, leveraging military-themed lures to entice its victims. The malware’s attribution to a Yemeni, Houthi-aligned threat actor underscores the increasing complexity and geopolitical implications of cyber threats in the region.
The malware is based on the well-known Dendroid RAT spyware, which has been extensively modified to enhance its functionality and evade detection. GuardZoo exhibits advanced capabilities, allowing it to collect sensitive data such as photographs, documents, GPS coordinates, and device-specific information, including the model and cellular service provider. This data collection is not just limited to surveillance; the malware also facilitates the deployment of additional invasive payloads, further compromising the security of infected devices.
GuardZoo’s distribution methods primarily involve popular messaging platforms like WhatsApp and direct downloads from malicious websites, making it particularly insidious. The strategic targeting of military personnel highlights the malware’s potential to undermine national security and expose sensitive information. As cyber threats continue to evolve, GuardZoo serves as a stark reminder of the vulnerabilities inherent in mobile technology and the urgent need for enhanced cybersecurity measures in military and governmental operations.
Targets
Public Administration
How they operate
The malware is primarily distributed through social engineering tactics, leveraging military-themed applications that appeal to potential victims. GuardZoo utilizes various lures, including titles related to military strategy and training, to entice users into downloading the malicious software. Once installed, GuardZoo takes advantage of its connection to command and control (C2) servers, which are hosted on dynamic DNS domains linked to YemenNet. Upon activation, the malware immediately contacts its C2 servers to retrieve commands and initiate data collection processes.
At its core, GuardZoo is built on the Dendroid Remote Access Trojan (RAT), a commodity spyware that has undergone significant modifications since its initial leak in 2014. The threat actor has tailored the GuardZoo codebase to enhance its capabilities while removing obsolete functions. This customization includes the ability to receive over 60 commands from the C2 server, allowing for extensive control over the infected device. Commands range from collecting files with specific extensions to monitoring GPS data, which is particularly relevant for military personnel who may rely on mobile devices for operational planning.
One notable feature of GuardZoo is its ability to achieve persistence on infected devices. It employs techniques such as boot and logon autostart execution, ensuring that the malware remains active even after device reboots. This persistence is critical for the threat actor, as it allows continuous monitoring and data collection without interruption. Additionally, GuardZoo can download and dynamically load external DEX files from the C2, enabling updates or changes to its functionality without requiring a full application update. This modular approach enhances the malware’s resilience and adaptability to countermeasures.
The exfiltration of data is another critical aspect of GuardZoo’s operation. The malware collects a wide range of sensitive information, including photographs, documents, and metadata related to files on the device. Specifically, it targets files with extensions associated with GPS mapping, such as KMZ and WPT, which can provide valuable location intelligence. The C2 communication occurs over HTTPS, although the data transmitted within the request body is in cleartext, allowing for potential interception. This combination of data collection and transmission tactics makes GuardZoo a formidable threat to its targeted audience.
In summary, GuardZoo exemplifies the evolving nature of mobile threats and the sophisticated tactics employed by state-aligned actors. Its reliance on social engineering for initial access, combined with robust capabilities for data collection, persistence, and command execution, highlights the need for heightened awareness and improved cybersecurity measures among potential targets. As malware like GuardZoo continues to evolve, understanding its technical operation is vital for developing effective defenses against such advanced threats.
MITRE Tactics and Techniques
Initial Access (T1078 – Valid Accounts):
GuardZoo uses social engineering techniques to lure victims into installing the malware, often leveraging military-themed applications or messages to gain their trust.
Execution (T1203 – Exploitation for Client Execution):
The malware executes its payload when the victim interacts with malicious content, such as downloading and installing the application.
Persistence (T1547 – Boot or Logon Autostart Execution):
GuardZoo implements techniques that ensure its persistence on the device, allowing it to survive reboots and remain active even after attempts to remove it.
Privilege Escalation (T1068 – Exploitation for Privilege Escalation):
The malware may exploit vulnerabilities in the Android operating system to gain elevated privileges, enabling it to access more sensitive data and functions.
Credential Access (T1552 – Unsecured Credentials):
By monitoring and collecting data, GuardZoo can exfiltrate sensitive credentials stored on the device.
Discovery (T1083 – File and Directory Discovery):
The malware scans the device to identify and catalog files, particularly those with specific extensions related to GPS and mapping.
Collection (T1005 – Data from Local System):
GuardZoo collects various types of data, including documents, photos, and device location information.
Command and Control (T1071 – Application Layer Protocol):
The malware communicates with its command and control (C2) servers over HTTPS, sending collected data and receiving commands.
Exfiltration (T1041 – Exfiltration Over Command and Control Channel):
GuardZoo exfiltrates collected data back to the C2 server, ensuring that sensitive information is transferred to the threat actor.
Impact (T1499 – Endpoint Denial of Service):
By deploying additional invasive payloads, GuardZoo can disrupt device functionality and create denial of service conditions for the user.