Human Rights Activists Targeted by New Phishing Campaign in Morocco and Western Sahara
A new cybersecurity threat has emerged in Morocco and the Western Sahara, particularly targeting human rights activists associated with the Sahrawi Arab Democratic Republic (SADR). This threat actor, identified by Cisco Talos as Starry Addax, employs sophisticated phishing tactics to deceive users into downloading fraudulent Android applications and directs Windows users to credential harvesting sites.
Starry Addax’s infrastructure, which includes domains such as ondroid[.]site and ondroid[.]store, specifically aims at both Android and Windows users. The attackers have created fake websites that imitate login pages for popular social media platforms, thereby enabling them to capture sensitive login information. Although an active investigation is underway, Talos has refrained from publicly naming the specific websites targeted by these phishing efforts.
The threat actor has been operational since January 2024, primarily utilizing spear-phishing tactics. Recent phishing campaigns have included emails enticing recipients to download the Sahara Press Service mobile app or similar decoy applications related to the region. Depending on whether the user is on an Android or Windows device, they are either led to the download of a malicious APK that mimics the Sahara Press Service app or redirected to counterfeit social media login pages.
Talos has also reported the emergence of a novel Android malware known as FlexStarling, which is designed to deploy additional malicious components and extract sensitive data once it infects a device. This malware requests extensive permissions from users, allowing it to execute commands retrieved from a Firebase-based command-and-control server. Such a mechanism indicates an intent to maintain a low profile while carrying out malicious activities.
The tailored nature of FlexStarling and the supporting infrastructure suggests that Starry Addax has invested considerable resources into developing custom tools rather than relying on off-the-shelf malware solutions. This custom development indicates a heightened focus on stealth, with the ultimate aim of conducting surveillance on high-value targets over extended periods. Talos has pointed out that the infrastructure is not yet fully operational, but the requisite components are deemed sufficiently advanced to commence targeting individuals actively involved in human rights advocacy.
In the wake of these developments, the emergence of commercial Android Remote Access Trojans (RATs) like Oxycorat further complicates the cybersecurity landscape. These RATs are being marketed for their diverse information-gathering capabilities, putting activists at additional risk amidst the broader targeting strategies employed by adversary groups.
The operational timeline of Starry Addax, including the establishment of command-and-control points and the development of malware since early January 2024, underscores a methodical strategy to target vulnerable individuals. The advanced phishing techniques and bespoke malware utilized illustrate the increasing technological sophistication of adversary groups.
In the context of the MITRE ATT&CK framework, the tactics and techniques likely employed in this attack include initial access through phishing, credential dumping from fake login pages, and persistence via the installation of malware capable of receiving remote commands. As further insights into this evolving situation arise, vigilance remains crucial for those at risk and for organizations concerned about similar cyber threats.
As this story progresses, stakeholders and business owners are encouraged to remain informed about the evolving tactics of cyber adversaries, particularly those aimed at individuals advocating for human rights.
