Summary: A new threat actor named “Starry Addax” is targeting human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause in North Africa using a mobile malware called “FlexStarling.”
Threat Actor: Starry Addax | Starry Addax
Victim: Human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause | Sahrawi Arab Democratic Republic
Key Points:
- Starry Addax conducts phishing attacks and uses malicious Android apps disguised as legitimate tools to compromise sensitive information.
- The threat actor also targets Windows users through credential-harvesting web pages disguised as login portals for popular media websites.
- Starry Addax has been active since January 2024 and shows a high level of sophistication in evading detection.
- The malware used by Starry Addax, called FlexStarling, has advanced features and employs evasion techniques to remain undetected on compromised devices.
A new threat actor dubbed “Starry Addax” is targeting human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause in North Africa using a novel mobile malware named “FlexStarling.”
Starry Addax’s modus operandi involves conducting phishing attacks, enticing victims into installing malicious Android apps that are disguised as legitimate tools. The apps impersonate the Sahara Press Service, serving as a means to deliver malware onto mobile devices, compromising sensitive information.
The infrastructure utilized by Starry Addax, including domains such as ondroid[.]site and ondroid[.]store, indicates a focus on both Android and Windows users.
For Windows-based targets, Starry Addax uses a different tactic, employing credential-harvesting web pages that masquerade as login portals for popular media web sites aiming to trick victims into giving up their credentials to gain unauthorized access to their accounts.
According to Cisco’s Talos threat research team, Starry Addax has been active since January 2024, orchestrating spear-phishing campaigns aimed at individuals sympathetic to the SADR cause.
Starry Addax’s operation exhibits a high level of sophistication and a concerted effort to evade detection. The use of FlexStarling, a malware app equipped with advanced features and a Firebase-based command-and-control (C2) infrastructure, demonstrates the threat actor’s determination to remain undetected while extracting valuable information from compromised devices.
FlexStarling’s functionality includes requesting extensive permissions from the Android operating system, enabling the malware to extract sensitive data from infected devices. The malware employs evasion techniques, such as checking for emulation environments or analysis tools, to thwart detection efforts and ensure its persistence on compromised devices.
The malware seeks permissions to manage external storage areas on the device, granting the threat actor the ability to manipulate files and gather additional intelligence. By generating MD5 hash strings of command codes and comparing them against hardcoded hashes, the malware effectively communicates with the C2 server and executes commands without raising suspicion.
Source: https://www.cybersecurity-help.cz/blog/3922.html
“An interesting youtube video that may be related to the article above”