A newly discovered threat group is using a custom piece of Android malware in a campaign that is targeting human rights activists in Morocco and western Africa.
The campaign is relatively recent and researchers say the threat group, known as Starry Addax, began in late February and starts with targeted phishing emails that include a lure that’s connected to the victim’s interests. The attackers are targeting both Windows users and Android users with this campaign, and the custom malware that they use is specifically designed for Android devices. Known as FlexStarling, the malware has a number of capabilities, including the ability to read call logs, text messages, and contacts. Researchers from Cisco’s Talos group analyzed the malware and the Starry Addax campaign that delivers it and found that the attackers have set up their campaign to be simple but effective.
“Starry Addax’s infrastructure can be used to target both Windows and Android based users. This campaign's infection chain begins with a Spear-Phishing email sent to targets, consisting of individuals of interest to the attackers, especially Human Rights activists in Morocco and the Western Sahara region. The email contains content that either requests the target to install the Sahrawi News Agency’s Mobile App OR may even consist of a topical theme related to Western Sahara,” the Talos analysis says.
The new threat group is specifically targeting victims in Morocco and the Sahrawi Arab Democratic Republic. The Android campaign centers on the FlexStarling malware, which is disguised as a version of the mobile app for the Sahara Press Service. If an Android user clicks on the malicious link in the spear phishing email sent by the Starry Addax threat actors, it will deliver the FlexStarling malware package. For Windows users, the experience is different and will redirect the victim to a site controlled by the attackers, which masquerades as a login page for a region-specific social media site.
“The use of FlexStarling with a Firebase based C2 instead of commodity malware or commercially available spyware signifies conscious efforts by the threat actor to evade detection."
The Talos researchers say this campaign is likely in its early stages and may evolve in the future. The earliest signs of the Starry Addax campaign appeared in January, when the attackers registered the first domain associated with it. Later that month, the FlexStarling malware was built and signed, and then in late February the spear phishing campaign began.
“Campaigns such as this one targeting high value individuals usually intend to run long and quietly. All components from the malware to the operating infrastructure seem to be bespoke/custom-made for this specific campaign indicating a heavy focus on stealth and conducting activities under the radar,” the Talos analysis says.
“The use of FlexStarling with a Firebase based C2 instead of commodity malware or commercially available spyware signifies conscious efforts by the threat actor to evade detection and operate without being detected.”
The main objective of this campaign, of course, is to steal sensitive information from victims’ devices. The FlexStarling malware has the ability to download files from an attacker-specified URL and upload local files from the device to a Dropbox folder, as well as delete specific file paths and take other actions. The malware also has the ability to install other components if needed.
The Starry Addax actors are new to the threat landscape, but their capabilities likely will evolve as time goes on.