Malicious apps used on this energetic marketing campaign exfiltrate contacts, SMS messages, recorded telephone calls, or even chat messages from apps equivalent to Sign, Viber, and Telegram
ESET researchers have recognized an energetic marketing campaign concentrated on Android customers, performed by means of the Bahamut APT staff. This marketing campaign has been energetic since January 2022 and malicious apps are disbursed via a pretend SecureVPN web page that gives simplest Android apps to obtain. Observe that even if the malware hired right through this marketing campaign makes use of the title SecureVPN, it has no affiliation by any means with the authentic, multiplatform SecureVPN instrument and repair.
- The app used has at other instances been a trojanized model of certainly one of two authentic VPN apps, SoftVPN or OpenVPN, which were repackaged with Bahamut spy ware code that the Bahamut staff has used prior to now.
- We had been in a position to spot a minimum of 8 variations of those maliciously patched apps with code adjustments and updates being made to be had during the distribution web page, which may imply that the marketing campaign is definitely maintained.
- The principle function of the app adjustments is to extract delicate consumer knowledge and actively undercover agent on sufferers’ messaging apps.
- We imagine that goals are in moderation selected, since as soon as the Bahamut spy ware is introduced, it requests an activation key earlier than the VPN and spy ware capability may also be enabled. Each the activation key and web page hyperlink are most likely despatched to focused customers.
- We have no idea the preliminary distribution vector (e-mail, social media, messaging apps, SMS, and so forth.).
ESET researchers came upon a minimum of 8 variations of the Bahamut spy ware. The malware is shipped via a pretend SecureVPN web page as trojanized variations of 2 authentic apps – SoftVPN and OpenVPN. Those malicious apps had been by no means to be had for obtain from Google Play.
The malware is in a position to exfiltrate delicate knowledge equivalent to contacts, SMS messages, name logs, software location, and recorded telephone calls. It will probably additionally actively undercover agent on chat messages exchanged via very talked-about messaging apps together with Sign, Viber, WhatsApp, Telegram, and Fb Messenger; the information exfiltration is completed by way of the keylogging capability of the malware, which misuses accessibility products and services. The marketing campaign seems to be extremely focused, as we see no cases in our telemetry knowledge.
The Bahamut APT staff in most cases goals entities and folks within the Heart East and South Asia with spearphishing messages and pretend programs because the preliminary assault vector. Bahamut focuses on cyberespionage, and we imagine that its function is to thieve delicate data from its sufferers. Bahamut may be known as a mercenary staff providing hack-for-hire products and services to quite a lot of purchasers. The title was once given to this danger actor, which seems to be a grasp in phishing, by means of the Bellingcat investigative journalism staff. Bellingcat named the crowd after the large fish floating within the huge Arabian Sea discussed within the E-book of Imaginary Beings written by means of Jorge Luis Borges. Bahamut is often described in Arabic mythology as an unimaginably huge fish.
The crowd has been the topic of a number of publications lately, together with:
The preliminary faux SecureVPN app we analyzed was once uploaded to VirusTotal on 2022-03-17, from an IP deal with that geolocates to Singapore, along side a hyperlink to a pretend web page that induced certainly one of our YARA laws.
On the similar time, we had been notified on Twitter by way of DM from @malwrhunterteam about the similar pattern.
The malicious Android software used on this marketing campaign was once delivered by way of the web page thesecurevpn[.]com (see Determine 1), which makes use of the title – however not one of the content material or styling – of the authentic SecureVPN provider (on the area securevpn.com).
This faux SecureVPN web page was once created in accordance with a unfastened internet template (see Determine 2), which was once possibly utilized by the danger actor as an inspiration, because it required simplest small adjustments and appears devoted.
thesecurevpn[.]com was once registered on 2022-01-27; then again, the time of preliminary distribution of the faux SecureVPN app is unknown. The malicious app is equipped at once from the web page and hasn’t ever been to be had on the Google Play retailer.
Malicious code within the faux SecureVPN pattern was once noticed within the SecureChat marketing campaign documented by means of Cyble and CoreSec360. We’ve noticed this code getting used simplest in campaigns performed by means of Bahamut; similarities to these campaigns come with storing delicate data in a neighborhood database earlier than importing it to the C&C server. The quantity of information saved in those databases more than likely depends upon the marketing campaign. In Determine 3 you’ll see malicious bundle categories from this variant in comparison to a prior pattern of Bahamut code.
Evaluating Determine 4 and Determine 5, you’ll see the similarities in SQL queries within the previous SecureChat malware, attributed to Bahamut, and the faux SecureVPN malware.
As such, we imagine that the faux SecureVPN software is related to the Bahamut staff.
Because the distribution web page has been on-line, there were a minimum of 8 variations of the Bahamut spy ware to be had for obtain. Those variations had been created by means of the danger actor, the place the faux software title was once adopted by means of the model quantity. We had been in a position to drag the next variations from the server, the place we imagine the model with the bottom model suffix was once supplied to doable sufferers prior to now, whilst extra lately upper model numbers (secureVPN_104.apk, SecureVPN_105.apk, SecureVPN_106.apk, SecureVPN_107.apk, SecureVPN_108.apk, SecureVPN_109.apk, SecureVPN_1010.apk, secureVPN_1010b.apk) were used.
We divide those variations into two branches, since Bahamut’s malicious code was once positioned into two other authentic VPN apps.
Within the first department, from model secureVPN_104 till secureVPN_108, malicious code was once inserted into the authentic SoftVPN software that may be discovered on Google Play and makes use of the original bundle title com.protected.vpn. This bundle title may be visual within the PARENT_APPLICATION_ID worth within the model data discovered within the decompiled supply code of the primary faux SecureVPN app department, as noticed in Determine 6.
In the second one department, from model secureVPN_109 till secureVPN_1010b, malicious code was once inserted into the authentic open-source software OpenVPN, which is to be had on Google Play, and that makes use of the original bundle title com.openvpn.protected. As with the trojanized SoftVPN department, the unique app’s bundle title may be visual within the faux SecureVPN app’s model data, discovered within the decompiled supply code, as noticed in Determine 7.
But even so the break up in those two branches, the place the similar malicious code is implanted into two other VPN apps, different faux SecureVPN model updates contained simplest minor code adjustments or fixes, with not anything vital taking into consideration its general capability.
The explanation why the danger actor switched from patching SoftVPN to OpenVPN as its father or mother app isn’t transparent; then again, we suspect that the explanation may well be that the authentic SoftVPN app stopped operating or being maintained and was once not in a position to create VPN connections – as showed by means of our checking out of the newest SoftVPN app from Google Play. This can be a reason why for Bahamut to change to the use of OpenVPN, since doable sufferers may uninstall a non-working VPN app from their units. Converting one father or mother app to any other most likely required extra time, assets, and energy to effectively put into effect by means of the danger actor.
Malicious code packaged with the OpenVPN app was once carried out a layer above the VPN code. That malicious code implements spy ware capability that requests an activation key after which exams the equipped key in opposition to the attacker’s C&C server. If the secret is effectively entered, the server will go back a token this is vital for a success communique between the Bahamut spy ware and its C&C server. If the secret is now not right kind, neither Bahamut spy ware nor VPN capability can be enabled. Sadly, with out the activation key, dynamic malware research sandboxes may now not flag it as a malicious app.
In Determine 8 you’ll see an preliminary activation key request and in Determine 9 the community visitors at the back of this kind of request and the reaction from the C&C server.
The campaigns the use of the faux SecureVPN app attempt to stay a low profile, for the reason that web page URL is possibly dropped at doable sufferers with an activation key, which isn’t supplied at the web page. Sadly, we weren’t in a position to acquire a operating key.
The activation key layer does now not belong to the unique OpenVPN capability, and we don’t acknowledge it as code from another authentic app. We imagine it was once advanced by means of Bahamut, because it additionally communicates with their C&C server.
Imposing a layer to offer protection to a payload from being induced proper after release on a non-targeted consumer software or when being analyzed isn’t a novel characteristic. We already noticed identical coverage being utilized in any other marketing campaign by means of the Bahamut staff carried out within the SecureChat app analyzed by means of CoreSec360. That required additional effort by means of the sufferer, who needed to create an account and log into it, which then enabled the Bahamut spy ware capability. We’ve additionally noticed related coverage being utilized by APT-C-23, the place the possible sufferer wishes a legitimate Coupon Code to obtain the malicious app.
If the Bahamut spy ware is enabled, then it may be remotely managed by means of Bahamut operators and will exfiltrate more than a few delicate software knowledge equivalent to:
- SMS messages,
- name logs,
- an inventory of put in apps,
- software location,
- software accounts,
- software data (form of web connection, IMEI, IP, SIM serial quantity),
- recorded telephone calls, and
- an inventory of recordsdata on exterior garage.
Through misusing accessibility products and services, as noticed in Determine 10, the malware can thieve notes from the SafeNotes software and actively undercover agent on chat messages and details about calls from widespread messaging apps equivalent to:
- imo-Global Calls & Chat,
- Fb Messenger,
- Sign Personal Messenger,
- WeChat, and
- Conion apps.
All exfiltrated knowledge is saved in a neighborhood database after which despatched to the C&C server. The Bahamut spy ware capability comprises the facility to replace the app by means of receiving a hyperlink to a brand new model from the C&C server.
The cell marketing campaign operated by means of the Bahamut APT staff remains to be energetic; it makes use of the similar way of distributing its Android spy ware apps by way of web sites that impersonate or masquerade as authentic products and services, as has been noticed prior to now. Additional, the spy ware code, and therefore its capability, is equal to in earlier campaigns, together with amassing knowledge to be exfiltrated in a neighborhood database earlier than sending it to the operators’ server, a tactic infrequently noticed in cell cyberespionage apps.
It seems that that this marketing campaign has maintained a low profile, as we see no cases in our telemetry knowledge. That is more than likely completed via extremely focused distribution, the place along side a hyperlink to the Bahamut spy ware, the possible sufferer is provided an activation key, which is needed to allow the malware’s spying capability.
|SHA-1||Package deal title||ESET detection title||Description|
|3144B187EDF4309263FF0BCFD02C6542704145B1||com.openvpn.protected||Android/Undercover agent.Bahamut.M||OpenVPN app repackaged with Bahamut spy ware code.|
|2FBDC11613A065AFBBF36A66E8F17C0D802F8347||com.openvpn.protected||Android/Undercover agent.Bahamut.M||OpenVPN app repackaged with Bahamut spy ware code.|
|2E40F7FD49FA8538879F90A85300247FBF2F8F67||com.protected.vpn||Android/Undercover agent.Bahamut.M||SoftVPN app repackaged with Bahamut spy ware code.|
|1A9371B8AEAD5BA7D309AEBE4BFFB86B23E38229||com.protected.vpn||Android/Undercover agent.Bahamut.M||SoftVPN app repackaged with Bahamut spy ware code.|
|976CC12B71805F4E8E49DCA232E95E00432C1778||com.protected.vpn||Android/Undercover agent.Bahamut.M||SoftVPN app repackaged with Bahamut spy ware code.|
|B54FFF5A7F0A279040A4499D5AABCE41EA1840FB||com.protected.vpn||Android/Undercover agent.Bahamut.M||SoftVPN app repackaged with Bahamut spy ware code.|
|C74B006BADBB3844843609DD5811AB2CEF16D63B||com.protected.vpn||Android/Undercover agent.Bahamut.M||SoftVPN app repackaged with Bahamut spy ware code.|
|4F05482E93825E6A40AF3DFE45F6226A044D8635||com.openvpn.protected||Android/Undercover agent.Bahamut.M||OpenVPN app repackaged with Bahamut spy ware code.|
|79BD0BDFDC3645531C6285C3EB7C24CD0D6B0FAF||com.openvpn.protected||Android/Undercover agent.Bahamut.M||OpenVPN app repackaged with Bahamut spy ware code.|
|7C49C8A34D1D032606A5E9CDDEBB33AAC86CE4A6||com.openvpn.protected||Android/Undercover agent.Bahamut.M||OpenVPN app repackaged with Bahamut spy ware code.|
|IP||Area||First noticed||Main points|
|172.67.185[.]54||thesecurevpn[.]com||2022-02-23||Distribution web page|
MITRE ATT&CK ways
This desk was once constructed the use of model 11 of the ATT&CK framework.
|Endurance||T1398||Boot or Logon Initialization Scripts||Bahamut spy ware receives the BOOT_COMPLETED broadcast intent to turn on at software startup.|
|T1624||Match Induced Execution||Bahamut spy ware makes use of Observers to be told about adjustments in SMS, contacts, and calls.|
|Protection Evasion||T1627||Execution Guardrails||Bahamut spy ware received’t run until a legitimate activation secret is supplied at app startup.|
|Discovery||T1420||Record and Listing Discovery||Bahamut spy ware can checklist to be had recordsdata on exterior garage.|
|T1418||Tool Discovery||Bahamut spy ware can download an inventory of put in programs.|
|T1426||Machine Knowledge Discovery||Bahamut spy ware can extract details about the software together with form of web connection, IMEI, IP deal with, and SIM serial quantity.|
|Assortment||T1417.001||Enter Seize: Keylogging||Bahamut spy ware logs keystrokes in chat messages and phone data from focused apps.|
|T1430||Location Monitoring||Bahamut spy ware tracks software location.|
|T1429||Audio Seize||Bahamut spy ware can document telephone calls.|
|T1532||Archive Accrued Knowledge||Bahamut spy ware shops gathered knowledge in a database previous to exfiltration.|
|T1636.002||Safe Consumer Knowledge: Name Logs||Bahamut spy ware can extract name logs.|
|T1636.003||Safe Consumer Knowledge: Touch Record||Bahamut spy ware can extract the touch checklist.|
|T1636.004||Safe Consumer Knowledge: SMS Messages||Bahamut spy ware can extract SMS messages.|
|Command and Keep watch over||T1437.001||Utility Layer Protocol: Internet Protocols||Bahamut spy ware makes use of HTTPS to keep in touch with its C&C server.|
|Exfiltration||T1646||Exfiltration Over C2 Channel||Bahamut spy ware exfiltrates stolen knowledge over its C&C channel.|