In the spring of 2023, the Insikt Group initially reported on a faction known as OilAlpha, which is aligned with the Houthi movement. This group has been systematically targeting humanitarian agencies operating in Yemen through the deployment of harmful Android software. Recent investigations, a year on, indicate that OilAlpha is still operational and continues to pose a substantial risk to humanitarian initiatives in the area.
Our latest findings pinpoint a new assortment of malevolent mobile apps and related digital frameworks associated with OilAlpha. These apps are specifically designed to compromise the staff of internationally renowned humanitarian entities, such as CARE International, the Norwegian Refugee Council, and the King Salman Humanitarian Aid and Relief Centre of Saudi Arabia.
In June 2024, our team uncovered a dubious Android application named “Cash Incentives.apk,” which was linked to OilAlpha’s digital arsenal. This application demands extensive permissions, such as control over the camera, audio recording, text messages, contact lists, among others, categorizing it as a remote access trojan (RAT). Further scrutiny led to the discovery of two additional malevolent apps aimed at infiltrating the Norwegian Refugee Council and CARE International, with the intent to misappropriate login credentials and collect confidential data.
OilAlpha’s cyber strategy includes a portal designed for credential theft, located at the domain kssnew[.]online. This site masquerades as the legitimate login interfaces of humanitarian groups, luring individuals to enter their login details, which are subsequently captured by the perpetrators.
To counteract this cyber menace, it is imperative for organizations to enforce robust information security protocols and engage in training exercises focused on social engineering and phishing prevention. The adoption of complex passwords and the implementation of multi-factor authentication (MFA) are critical measures that can greatly diminish the likelihood of credential theft.
Additionally, individuals should exercise caution when receiving direct messages via social media platforms and encrypted messaging services, ensuring the verification of message authenticity whenever feasible. The Third-Party Intelligence feature from Recorded Future offers valuable assistance in identifying and tracking OilAlpha’s activities in a timely manner. The installation of the Recorded Future® Threat Intelligence Browser Extension grants immediate access to threat intelligence, expedites alert management in SIEM systems, and aids in the prioritization of security vulnerabilities.
For analysis of suspect files, the Malware Intelligence sandbox from Recorded Future provides an in-depth examination. It analyzes the behavior of the file within a secure setting to ascertain its network interactions and modifications to the system.
The ongoing operations of OilAlpha indicate a concerted effort to exert influence over the distribution of humanitarian aid in Yemen. It is anticipated that the group will persist in its focus on humanitarian organizations, with the possibility of extending its reach beyond Yemen’s borders. Recorded Future is dedicated to continuous monitoring and reporting on these threats to ensure the protection of humanitarian activities in the Middle East and elsewhere.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
