Get in Touch
Please get in touch using the form below.
OilAlpha group targeting Arabian Android users
Target Industry
Developmental, humanitarian and media organisations.
Overview
The groups TAG-41 and TAG-62 (also known as OilAlpha) have been observed targeting Arabian based Android users via social engineering and the remote access trojans “NJRAT” and “SpyNote”. The attacks are believed to be part of a cyber espionage campaign against various targets, such as humanitarian and media-based organisations.
Impact
Successful exploitation by OilAlpha could lead to exfiltration of sensitive operational information of humanitarian workers and journalists. This could be used to execute armed assaults on individuals involved with the targeted organisations with potential for loss of life.
Vulnerability Detection
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats like NJRAT and SpyNote. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement significant damage.
Affected Products
Android OS.
Containment, Mitigations & Remediations
To help prevent the initial access attempts through social engineering, effective and regular training for all staff to identify malicious messages is recommend where possible.
All devices should be kept up to date as these patches will include the most recent security features to help prevent exploitation from known vulnerabilities.
As previously mentioned, the implementation of an EDR solution will help mitigate and contain threats in real time in order to prevent or limit the damage that attacks can have on the organisation.
Indicators of Compromise
“SpyNote” associated files (SHA256):
- e08da72431a91099ef721333af8f2a4c
- 788008b98d8bff8f880b888c29ddddfa7b02e1a49243caf97ee3af8d3646e890
- c3ee6bc6f4e23981757b452c7b0236048a48b9c875f4d5e25266f8262fe208c5
- a51334ad82fbdbd4e2f1483b57eccf42
- d6cf06cd34f50317131591268d23ef266c01bf3f758893568f10204825cc3369
Threat Landscape
Due to the increased popularity of smartphone usage and particularly those using the open source operating system Android, they have become a prime target for attacks as many individuals will store large amounts of personal information on them which can be exploited.
As Android usage in the Arabian Peninsula is so extensive it has become a natural target for attackers in the location such as the OilAlpha group. These attacks are part of a global increase in politically motivated attacks on organisations for monetary or reputational gain for state sponsored or militant groups.
Mitre Methodologies
Initial Access
– T1566 – Phishing
– T1091 – Replication Through Removable Media
Execution
– T1106 – Native API
– T1059.001 – Command and Scripting Interpreter: PowerShell
– T1059.003 – Command and Scripting Interpreter: Windows Command Shell
Persistence
– T1624.001 – Event Triggered Execution: Broadcast Receivers
– T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defence Evasion
– T1562.004 – Impair Defenses: Disable or Modify System Firewall
– T1070.004 – Indicator Removal: File Deletion
– T1070.009 – Indicator Removal: Clear Persistence
– T1112 – Modify Registry
– T1027 – Obfuscated Files or Information
– T1027.004 – Compile After Delivery
Credential Access
– T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
– T1056.001 – Input Capture: Keylogging
Discovery
– T1010 – Application Window Discovery
– T1083 – File and Directory Discovery
– T1120 – Peripheral Device Discovery
– T1057 – Process Discovery
– T1012 – Query Registry
– T1018 – Remote System Discovery
– T1082 – System Information Discovery
– T1033 – System Owner/User Discovery
– T1430 – Location Tracking
Lateral Movement
– T1021.001 – Remote Services: Remote Desktop Protocol
Collection
– T1005 – Data from Local System
– T1113 – Screen Capture
– T1125 – Video Capture
– T1429 – Audio Capture
– T1636.003 – Protected User Data: Contact List
– T1636.004 – Protected User Data: SMS Messages
Command and Control
– T1071.001 – Application Layer Protocol: Web Protocols
– T1571 – Non-Standard Port
– T1105 – Ingress Tool Transfer
– T1132.001 – Data Encoding: Standard Encoding
– T1568.001 – Dynamic Resolution: Fast Flux DNS
Exfiltration
– T1041 – Exfiltration Over C2 Channel
Further Information
– OilAlpha: Emerging Houthi-linked Cyber Threat Targets Arabian Android Users