A fresh wave of cyber threats is engulfing human rights activists in both Morocco and the Western Sahara region, orchestrated by a new threat entity employing phishing tactics to ensnare its victims into installing counterfeit Android applications and deploying credential-harvesting mechanisms tailored for Windows users.
Dubbed Starry Addax, this malicious cluster of activity, meticulously monitored by Cisco Talos, appears to have its crosshairs fixed on activists affiliated with the Sahrawi Arab Democratic Republic (SADR).
The infrastructure utilized by Starry Addax, manifested through domains ondroid[.]site and ondroid[.]store, is meticulously crafted to ensnare both Android and Windows users, the latter of which involves the creation of sham websites posing as login portals for popular social media platforms.
The adversary, believed to have commenced operations in January 2024, relies on spear-phishing emails as its primary vector, enticing recipients to install either the Sahara Press Service’s mobile application or a related decoy app ostensibly linked to the region.
Upon analyzing the originating operating system, the target is directed towards either a malicious APK masquerading as the Sahara Press Service or redirected to counterfeit social media login pages aimed at pilfering their login credentials.
Central to Starry Addax’s toolkit is a newly identified Android malware, christened FlexStarling, renowned for its adaptability and capability to deliver supplementary malware components while clandestinely harvesting sensitive data from compromised devices.
Once ensconced within a device, FlexStarling coerces the victim into granting it expansive permissions, empowering the malware to execute a litany of nefarious activities, including the retrieval of commands from a Firebase-based command-and-control (C2) server, indicative of the threat actor’s proclivity for subterfuge.
Talos underscored the covert nature of campaigns targeting high-value individuals, emphasizing their propensity to maintain a low profile on infected devices for protracted durations.
“Campaigns of this nature, focusing on individuals of significance, typically aim to remain inconspicuous on the device for extended periods,” remarked Talos.
This development unfolds against the backdrop of the emergence of Oxycorat, a novel commercial Android remote access trojan (RAT) touted for its diverse data acquisition capabilities, now available for purchase in the clandestine market.
