A pro-Houthi group, OilAlpha, is targeting humanitarian organizations in Yemen with malicious Android applications by stealing credentials and gathering intelligence, potentially disrupting aid distribution.
The applications target sensitive data and require invasive permissions, such as camera and SMS access. The targeted organizations include CARE International and the Norwegian Refugee Council.
Pro-Houthi threat actor OilAlpha continues to target humanitarian organizations in Yemen with malicious Android applications by leveraging social engineering tactics to trick victims into downloading fake apps disguised as legitimate ones used by NGOs.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
Malware Stealing Credentials
Once installed, the malware steals credentials and gathers intelligence on humanitarian operations, potentially allowing OilAlpha to manipulate aid distribution for its agenda. This highlights the persistent threat posed by cyberattacks against NGOs and the need for robust cybersecurity measures within humanitarian organizations.
A new wave of malicious mobile applications targeting humanitarian organizations has been discovered. These Android applications, linked to the pro-Houthi group OilAlpha, target employees of reputable organizations like CARE International and the Norwegian Refugee Council.
The applications request excessive permissions, including access to cameras, microphones, SMS, and contacts, indicative of Remote Access Trojan (RAT) functionality, which suggests that OilAlpha aims to steal credentials and sensitive information from targeted personnel.
A credential theft portal that is hosted on the domain kssnew.online is some of the components that make up the infrastructure that supports these applications.
In June 2024, three malicious Android applications targeting OilAlpha, the Norwegian Refugee Council, and CARE International were discovered.
The applications, disguised as “Cash Incentives.apk,” request intrusive permissions like camera, audio, SMS, and contact access, which is characteristic of a Remote Access Trojan (RAT). This suggests the attacker’s intent to gain unauthorized remote control of the target devices.
Further investigation by Insikt Group’s research revealed two more malicious applications targeting the NGOs as mentioned above, indicating a wider campaign aimed at stealing credentials and sensitive information.
OilAlpha employs a credential theft portal (kssnew.com) to target humanitarian organizations. The portal mimics legitimate login pages, tricking users into entering their credentials.
Once entered, the attackers steal the credentials. This tactic, known as phishing, uses social engineering to circumvent technical security measures and gain unauthorized access to confidential data.
Organizations can fortify their defenses against social engineering attacks by implementing a multi-pronged approach.
Firstly, information security policies should be established to outline acceptable user behavior regarding data handling and access.
Secondly, regular training sessions promoting social engineering and phishing awareness can equip employees to identify and deflect these attempts. Finally, enforcing strong password protocols and deploying multi-factor authentication significantly reduces the success rate of credential theft, a common social engineering objective.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo