OilAlpha: Emerging Houthi-linked Cyber Threat Targets Arabian Android Users

A hacking group dubbed OilAlpha with suspected ties to Yemen’s Houthi movement has been linked to a cyber espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula.

“OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets,” cybersecurity company Recorded Future said in a technical report published Tuesday.

“It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices.”

OilAlpha is the new cryptonym given by Recorded Future to two overlapping clusters previously tracked by the company under the names TAG-41 and TAG-62 since April 2022. TAG-XX (short for Threat Activity Group) is the temporary moniker assigned to emerging threat groups.

The assessment that the adversary is acting in the interest of the Houthi movement is based on the fact that the infrastructure used in the attacks is almost exclusively associated with Public Telecommunication Corporation (PTC), a Yemeni telecom service provider subjected to Houthi’s control.

That having said, the persistent use of PTC assets doesn’t exclude the possibility of a compromise by an unknown third-party. Recorded Future, however, noted that it did not find any evidence to back up this line of reasoning.

Another factor is the use of malicious Android-based applications to likely surveil delegates associated with Saudi Arabian government-led negotiations. These apps mimicked entities tied to the Saudi Arabian government and a humanitarian organization in the U.A.E.

The attack chains commence with potential targets – political representatives, media personalities, and journalists – receiving the APK files directly from WhatsApp accounts using Saudi Arabian telephone numbers by masquerading the apps as belonging to UNICEF, NGOs, and other relief organizations.

The apps, for their part, act as a conduit to drop a remote access trojan called SpyNote (aka SpyMax) that comes with a plethora of features to capture sensitive information from infected devices.

“OilAlpha’s focus in targeting Android devices is not surprising due to the high saturation of Android devices in the Arabian Peninsula region,” Recorded Future said.

The cybersecurity company said it also observed njRAT (aka Bladabindi) samples communicating with command-and-control (C2) servers associated with the group, indicating that it’s simultaneously making use of desktop malware in its operations.

“OilAlpha launched its attacks at the behest of a sponsoring entity, namely Yemen’s Houthis,” it theorized. “OilAlpha could be directly affiliated to its sponsoring entity, or could also be operating like a contracting party.”

“While OilAlpha’s activity is pro-Houthi, there is insufficient evidence to suggest that Yemeni operatives are responsible for this threat activity. External threat actors like Lebanese or Iraqi Hezbollah, or even Iranian operators supporting the IRGC, may have led this threat activity.”