A pro-Houthi group, OilAlpha, is targeting humanitarian organizations in Yemen with malicious Android applications, which function as remote access trojans (RATs), requesting invasive permissions to access a user’s camera, microphone, SMS, contacts, and potentially more.
The information and credentials that were stolen were most likely transferred to a server that was located on the domain kssnew.online that belongs to OilAlpha.
It highlights the use of social engineering tactics to deploy malware and emphasizes the importance of robust security measures for NGOs, including strong passwords, multi-factor authentication, and user education on identifying suspicious applications.
An unidentified actor highlights a continuing cyber security threat targeting humanitarian organizations like CARE International and the Norwegian Refugee Council.
In May of 2023, Insikt Group made the initial discovery of OilAlpha through the use of malicious Android applications that were originally designed to steal credentials and collect intelligence.
New research confirms OilAlpha’s continued activity, employing social engineering tactics likely via WhatsApp to distribute the malware, which raises concerns about the potential disruption of aid distribution as stolen credentials could be used to manipulate aid delivery data.
A new wave of malicious mobile applications linked to the pro-Houthi group OilAlpha has been discovered targeting humanitarian organizations.
These Android applications masquerade as legitimate aid programs (e.g., “Cash Incentives.apk”) but request excessive permissions (camera, audio, SMS, contacts) indicative of Remote Access Trojan (RAT) functionality.
This suggests OilAlpha is attempting to steal credentials and sensitive information from employees of NGOs like CARE International and the Norwegian Refugee Council. The group is leveraging infrastructure on the domain kssnew.online to facilitate these attacks.
OilAlpha, a cyber threat actor, has been targeting humanitarian organizations with credential theft tactics that, disguised as Android applications, request excessive permissions and function as remote access Trojans (RATs), capable of stealing login credentials, camera data, audio recordings, SMS messages, and contact information.
Further investigation by Insikt Group revealed a dedicated OilAlpha credential theft portal on kssnew.com by mimicking the legitimate login pages of humanitarian organizations, tricking unsuspecting users into entering their credentials, which are then harvested by the attackers.
A hacking group, OilAlpha, likely affiliated with the Houthis in Yemen, is targeting humanitarian organizations with malicious Android applications that aim to steal credentials and gather intelligence, potentially manipulating the distribution of humanitarian aid.
OilAlpha’s efforts are believed to be ongoing, and experts believe that in the future, they may target organizations other than Yemen.