Get in Touch
OilAlpha group targeting Arabian Android users
Developmental, humanitarian and media organisations.
The groups TAG-41 and TAG-62 (also known as OilAlpha) have been observed targeting Arabian based Android users via social engineering and the remote access trojans “NJRAT” and “SpyNote”. The attacks are believed to be part of a cyber espionage campaign against various targets, such as humanitarian and media-based organisations.
Successful exploitation by OilAlpha could lead to exfiltration of sensitive operational information of humanitarian workers and journalists. This could be used to execute armed assaults on individuals involved with the targeted organisations with potential for loss of life.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats like NJRAT and SpyNote. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement significant damage.
Containment, Mitigations & Remediations
To help prevent the initial access attempts through social engineering, effective and regular training for all staff to identify malicious messages is recommend where possible.
All devices should be kept up to date as these patches will include the most recent security features to help prevent exploitation from known vulnerabilities.
As previously mentioned, the implementation of an EDR solution will help mitigate and contain threats in real time in order to prevent or limit the damage that attacks can have on the organisation.
Indicators of Compromise
“SpyNote” associated files (SHA256):
Due to the increased popularity of smartphone usage and particularly those using the open source operating system Android, they have become a prime target for attacks as many individuals will store large amounts of personal information on them which can be exploited.
As Android usage in the Arabian Peninsula is so extensive it has become a natural target for attackers in the location such as the OilAlpha group. These attacks are part of a global increase in politically motivated attacks on organisations for monetary or reputational gain for state sponsored or militant groups.
– T1566 – Phishing
– T1091 – Replication Through Removable Media
– T1106 – Native API
– T1059.001 – Command and Scripting Interpreter: PowerShell
– T1059.003 – Command and Scripting Interpreter: Windows Command Shell
– T1624.001 – Event Triggered Execution: Broadcast Receivers
– T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
– T1562.004 – Impair Defenses: Disable or Modify System Firewall
– T1070.004 – Indicator Removal: File Deletion
– T1070.009 – Indicator Removal: Clear Persistence
– T1112 – Modify Registry
– T1027 – Obfuscated Files or Information
– T1027.004 – Compile After Delivery
– T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
– T1056.001 – Input Capture: Keylogging
– T1010 – Application Window Discovery
– T1083 – File and Directory Discovery
– T1120 – Peripheral Device Discovery
– T1057 – Process Discovery
– T1012 – Query Registry
– T1018 – Remote System Discovery
– T1082 – System Information Discovery
– T1033 – System Owner/User Discovery
– T1430 – Location Tracking
– T1021.001 – Remote Services: Remote Desktop Protocol
– T1005 – Data from Local System
– T1113 – Screen Capture
– T1125 – Video Capture
– T1429 – Audio Capture
– T1636.003 – Protected User Data: Contact List
– T1636.004 – Protected User Data: SMS Messages
Command and Control
– T1071.001 – Application Layer Protocol: Web Protocols
– T1571 – Non-Standard Port
– T1105 – Ingress Tool Transfer
– T1132.001 – Data Encoding: Standard Encoding
– T1568.001 – Dynamic Resolution: Fast Flux DNS
– T1041 – Exfiltration Over C2 Channel
– OilAlpha: Emerging Houthi-linked Cyber Threat Targets Arabian Android Users