www.welivesecurity.com Open in urlscan Pro
2606:2800:233:1cb7:261b:1f9c:2074:3c Public Scan

Back to summary

Submitted URL:
http://welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps
Effective URL:
https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/
Submission: On January 26 via api (January 26th 2023, 12:08:05 am UTC) from IT — Scanned from IT

Form analysis
5 forms found in the DOM

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc  col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
    <input type="hidden" name="TOPIC" value="We Live Security Ukraine Newsletter">
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button class="button-flag"> Submit </button>
  </div>
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
    <input type="hidden" name="NEWSLETTER" value="We Live Security">
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button class=""> Submit </button>
  </div>
</form>

Text Content

In English
* Em Português
* En français
* En Español
* In Deutsch

Menu toggle menu

* All Posts
* Ukraine Crisis – Digital Security Resource Center
* We Live Progress
* Research
* How To
* Videos
* Conference Materials
* White Papers
* Threat Reports
* Our Experts

* Em Português
* En français
* En Español
* In Deutsch

Award-winning news, views, and insight from the ESET security community

BAHAMUT CYBERMERCENARY GROUP TARGETS ANDROID USERS WITH FAKE VPN APPS

Malicious apps used in this active campaign exfiltrate contacts, SMS messages,
recorded phone calls, and even chat messages from apps such as Signal, Viber,
and Telegram
Lukas Stefanko
23 Nov 2022 - 11:30AM
Share

Malicious apps used in this active campaign exfiltrate contacts, SMS messages,
recorded phone calls, and even chat messages from apps such as Signal, Viber,
and Telegram

ESET researchers have identified an active campaign targeting Android users,
conducted by the Bahamut APT group. This campaign has been active since January
2022 and malicious apps are distributed through a fake SecureVPN website that
provides only Android apps to download. Note that although the malware employed
throughout this campaign uses the name SecureVPN, it has no association
whatsoever with the legitimate, multiplatform SecureVPN software and service.

Key points of this blogpost:

* The app used has at different times been a trojanized version of one of two
legitimate VPN apps, SoftVPN or OpenVPN, which have been repackaged with
Bahamut spyware code that the Bahamut group has used in the past.
* We were able to identify at least eight versions of these maliciously patched
apps with code changes and updates being made available through the
distribution website, which might mean that the campaign is well maintained.
* The main purpose of the app modifications is to extract sensitive user data
and actively spy on victims’ messaging apps.
* We believe that targets are carefully chosen, since once the Bahamut spyware
is launched, it requests an activation key before the VPN and spyware
functionality can be enabled. Both the activation key and website link are
likely sent to targeted users.
* We do not know the initial distribution vector (email, social media,
messaging apps, SMS, etc.).

ESET researchers discovered at least eight versions of the Bahamut spyware. The
malware is distributed through a fake SecureVPN website as trojanized versions
of two legitimate apps – SoftVPN and OpenVPN. These malicious apps were never
available for download from Google Play.

The malware is able to exfiltrate sensitive data such as contacts, SMS messages,
call logs, device location, and recorded phone calls. It can also actively spy
on chat messages exchanged through very popular messaging apps including Signal,
Viber, WhatsApp, Telegram, and Facebook Messenger; the data exfiltration is done
via the keylogging functionality of the malware, which misuses accessibility
services. The campaign appears to be highly targeted, as we see no instances in
our telemetry data.

BAHAMUT OVERVIEW

The Bahamut APT group typically targets entities and individuals in the Middle
East and South Asia with spearphishing messages and fake applications as the
initial attack vector. Bahamut specializes in cyberespionage, and we believe
that its goal is to steal sensitive information from its victims. Bahamut is
also referred to as a mercenary group offering hack-for-hire services to a wide
range of clients. The name was given to this threat actor, which appears to be a
master in phishing, by the Bellingcat investigative journalism group. Bellingcat
named the group after the enormous fish floating in the vast Arabian Sea
mentioned in the Book of Imaginary Beings written by Jorge Luis Borges. Bahamut
is frequently described in Arabic mythology as an unimaginably enormous fish.

The group has been the subject of several publications in recent years,
including:

* 2017 – Bellingcat [1][2]
* 2018 – Talos [1][2]
* 2018 – Trend Micro
* 2020 – BlackBerry [pdf]
* 2020 – SonicWall
* 2021 – 打假的Hunter
* 2021 – Cyble
* 2022 – CoreSec360
* 2022 – Cyble

DISTRIBUTION

The initial fake SecureVPN app we analyzed was uploaded to VirusTotal on
2022-03-17, from an IP address that geolocates to Singapore, along with a link
to a fake website that triggered one of our YARA rules.

At the same time, we were notified on Twitter via DM from @malwrhunterteam about
the same sample.

The malicious Android application used in this campaign was delivered via the
website thesecurevpn[.]com (see Figure 1), which uses the name – but none of the
content or styling – of the legitimate SecureVPN service (at the domain
securevpn.com).

Figure 1. Fake SecureVPN website provides a trojanized app to download

This fake SecureVPN website was created based on a free web template (see Figure
2), which was most likely used by the threat actor as an inspiration, since it
required only small changes and looks trustworthy.

Figure 2. Free website template used to create the distribution website for the
fake VPN app

thesecurevpn[.]com was registered on 2022-01-27; however, the time of initial
distribution of the fake SecureVPN app is unknown. The malicious app is provided
directly from the website and has never been available at the Google Play store.

ATTRIBUTION

Malicious code in the fake SecureVPN sample was seen in the SecureChat campaign
documented by Cyble and CoreSec360. We have seen this code being used only in
campaigns conducted by Bahamut; similarities to those campaigns include storing
sensitive information in a local database before uploading it to the C&C server.
The amount of data stored in these databases probably depends on the campaign.
In Figure 3 you can see malicious package classes from this variant compared to
a previous sample of Bahamut code.

Figure 3. Class name comparison between the earlier malicious SecureChat package
(left) and fake SecureVPN package (right)

Comparing Figure 4 and Figure 5, you can see the similarities in SQL queries in
the earlier SecureChat malware, attributed to Bahamut, and the fake SecureVPN
malware.

Figure 4. The SQL queries used in malicious code from the earlier SecureChat
campaign

Figure 5. The SQL queries used in malicious code in the fake SecureVPN campaign

As such, we believe that the fake SecureVPN application is linked to the Bahamut
group.

ANALYSIS

Since the distribution website has been online, there have been at least eight
versions of the Bahamut spyware available for download. These versions were
created by the threat actor, where the fake application name was followed by the
version number. We were able to pull the following versions from the server,
where we believe the version with the lowest version suffix was provided to
potential victims in the past, while more recently higher version numbers
(secureVPN_104.apk, SecureVPN_105.apk, SecureVPN_106.apk, SecureVPN_107.apk,
SecureVPN_108.apk, SecureVPN_109.apk, SecureVPN_1010.apk, secureVPN_1010b.apk)
have been used.

We divide these versions into two branches, since Bahamut’s malicious code was
placed into two different legitimate VPN apps.

In the first branch, from version secureVPN_104 until secureVPN_108, malicious
code was inserted into the legitimate SoftVPN application that can be found on
Google Play and uses the unique package name com.secure.vpn. This package name
is also visible in the PARENT_APPLICATION_ID value in the version information
found in the decompiled source code of the first fake SecureVPN app branch, as
seen in Figure 6.

Figure 6. Fake SecureVPN v1.0.4 with malicious code included into SoftVPN as
parent application

In the second branch, from version secureVPN_109 until secureVPN_1010b,
malicious code was inserted into the legitimate open-source application OpenVPN,
which is available on Google Play, and that uses the unique package name
com.openvpn.secure. As with the trojanized SoftVPN branch, the original app’s
package name is also visible in the fake SecureVPN app’s version information,
found in the decompiled source code, as seen in Figure 7.

Figure 7. Fake SecureVPN v1.0.9 (SecureVPN_109) with malicious code included
into OpenVPN as its parent application even though the hardcoded VERSION_NAME
(1.0.0) wasn’t changed between versions

Besides the split in these two branches, where the same malicious code is
implanted into two different VPN apps, other fake SecureVPN version updates
contained only minor code changes or fixes, with nothing significant considering
its overall functionality.

The reason why the threat actor switched from patching SoftVPN to OpenVPN as its
parent app is not clear; however, we suspect that the reason might be that the
legitimate SoftVPN app stopped working or being maintained and was no longer
able to create VPN connections – as confirmed by our testing of the latest
SoftVPN app from Google Play. This could be a reason for Bahamut to switch to
using OpenVPN, since potential victims might uninstall a non-working VPN app
from their devices. Changing one parent app to another likely required more
time, resources, and effort to successfully implement by the threat actor.

Malicious code packaged with the OpenVPN app was implemented a layer above the
VPN code. That malicious code implements spyware functionality that requests an
activation key and then checks the supplied key against the attacker’s C&C
server. If the key is successfully entered, the server will return a token that
is necessary for successful communication between the Bahamut spyware and its
C&C server. If the key is not correct, neither Bahamut spyware nor VPN
functionality will be enabled. Unfortunately, without the activation key,
dynamic malware analysis sandboxes might not flag it as a malicious app.

In Figure 8 you can see an initial activation key request and in Figure 9 the
network traffic behind such a request and the response from the C&C server.

Figure 8. Fake SecureVPN requests activation key before enabling VPN and spyware
functions

Figure 9. Fake SecureVPN activation request and its C&C server’s response

The campaigns using the fake SecureVPN app try to keep a low profile, since the
website URL is most likely delivered to potential victims with an activation
key, which is not provided on the website. Unfortunately, we were not able to
obtain a working key.

The activation key layer does not belong to the original OpenVPN functionality,
and we do not recognize it as code from any other legitimate app. We believe it
was developed by Bahamut, since it also communicates with their C&C server.

Implementing a layer to protect a payload from being triggered right after
launch on a non-targeted user device or when being analyzed is not a unique
feature. We already saw similar protection being used in another campaign by the
Bahamut group implemented in the SecureChat app analyzed by CoreSec360. That
required extra effort by the victim, who had to create an account and log into
it, which then enabled the Bahamut spyware functionality. We have also observed
comparable protection being used by APT-C-23, where the potential victim needs a
valid Coupon Code to download the malicious app.

FUNCTIONALITY

If the Bahamut spyware is enabled, then it can be remotely controlled by Bahamut
operators and can exfiltrate various sensitive device data such as:

* contacts,
* SMS messages,
* call logs,
* a list of installed apps,
* device location,
* device accounts,
* device info (type of internet connection, IMEI, IP, SIM serial number),
* recorded phone calls, and
* a list of files on external storage.

By misusing accessibility services, as seen in Figure 10, the malware can steal
notes from the SafeNotes application and actively spy on chat messages and
information about calls from popular messaging apps such as:

* imo-International Calls & Chat,
* Facebook Messenger,
* Viber,
* Signal Private Messenger,
* WhatsApp,
* Telegram,
* WeChat, and
* Conion apps.

Figure 10. Fake SecureVPN request to manually enable Accessibility services

All exfiltrated data is stored in a local database and then sent to the C&C
server. The Bahamut spyware functionality includes the ability to update the app
by receiving a link to a new version from the C&C server.

CONCLUSION

The mobile campaign operated by the Bahamut APT group is still active; it uses
the same method of distributing its Android spyware apps via websites that
impersonate or masquerade as legitimate services, as has been seen in the past.
Further, the spyware code, and hence its functionality, is the same as in
previous campaigns, including collecting data to be exfiltrated in a local
database before sending it to the operators’ server, a tactic rarely seen in
mobile cyberespionage apps.

It appears that this campaign has maintained a low profile, as we see no
instances in our telemetry data. This is probably achieved through highly
targeted distribution, where along with a link to the Bahamut spyware, the
potential victim is supplied an activation key, which is required to enable the
malware’s spying functionality.

IOCS

FILES

SHA-1Package nameESET detection nameDescription
3144B187EDF4309263FF0BCFD02C6542704145B1com.openvpn.secureAndroid/Spy.Bahamut.MOpenVPN app repackaged with
Bahamut spyware code.
2FBDC11613A065AFBBF36A66E8F17C0D802F8347com.openvpn.secureAndroid/Spy.Bahamut.MOpenVPN
app repackaged with Bahamut spyware code.
2E40F7FD49FA8538879F90A85300247FBF2F8F67com.secure.vpnAndroid/Spy.Bahamut.MSoftVPN
app repackaged with Bahamut spyware code.
1A9371B8AEAD5BA7D309AEBE4BFFB86B23E38229com.secure.vpnAndroid/Spy.Bahamut.MSoftVPN
app repackaged with Bahamut spyware code.
976CC12B71805F4E8E49DCA232E95E00432C1778com.secure.vpnAndroid/Spy.Bahamut.MSoftVPN
app repackaged with Bahamut spyware code.
B54FFF5A7F0A279040A4499D5AABCE41EA1840FBcom.secure.vpnAndroid/Spy.Bahamut.MSoftVPN
app repackaged with Bahamut spyware code.
C74B006BADBB3844843609DD5811AB2CEF16D63Bcom.secure.vpnAndroid/Spy.Bahamut.MSoftVPN
app repackaged with Bahamut spyware code.
4F05482E93825E6A40AF3DFE45F6226A044D8635com.openvpn.secureAndroid/Spy.Bahamut.MOpenVPN
app repackaged with Bahamut spyware code.
79BD0BDFDC3645531C6285C3EB7C24CD0D6B0FAFcom.openvpn.secureAndroid/Spy.Bahamut.MOpenVPN
app repackaged with Bahamut spyware code.
7C49C8A34D1D032606A5E9CDDEBB33AAC86CE4A6com.openvpn.secureAndroid/Spy.Bahamut.MOpenVPN
app repackaged with Bahamut spyware code.

NETWORK

IPDomainFirst seenDetails 104.21.10[.]79ft8hua063okwfdcu21pw[.]de2022-03-20C&C
server 172.67.185[.]54thesecurevpn[.]com2022-02-23Distribution website

MITRE ATT&CK TECHNIQUES

This table was built using version 11 of the ATT&CK framework.

TacticIDNameDescription PersistenceT1398Boot or Logon Initialization
ScriptsBahamut spyware receives the BOOT_COMPLETED broadcast intent to activate
at device startup. T1624Event Triggered ExecutionBahamut spyware uses Observers
to be informed about changes in SMS, contacts, and calls. Defense
EvasionT1627Execution GuardrailsBahamut spyware won’t run unless a valid
activation key is provided at app startup. DiscoveryT1420File and Directory
DiscoveryBahamut spyware can list available files on external storage.
T1418Software DiscoveryBahamut spyware can obtain a list of installed
applications. T1426System Information DiscoveryBahamut spyware can extract
information about the device including type of internet connection, IMEI, IP
address, and SIM serial number. CollectionT1417.001Input Capture:
KeyloggingBahamut spyware logs keystrokes in chat messages and call information
from targeted apps. T1430Location TrackingBahamut spyware tracks device
location. T1429Audio CaptureBahamut spyware can record phone calls. T1532Archive
Collected DataBahamut spyware stores collected data in a database prior to
exfiltration. T1636.002Protected User Data: Call LogsBahamut spyware can extract
call logs. T1636.003Protected User Data: Contact ListBahamut spyware can extract
the contact list. T1636.004Protected User Data: SMS MessagesBahamut spyware can
extract SMS messages. Command and ControlT1437.001Application Layer Protocol:
Web ProtocolsBahamut spyware uses HTTPS to communicate with its C&C server.
ExfiltrationT1646Exfiltration Over C2 ChannelBahamut spyware exfiltrates stolen
data over its C&C channel.

Lukas Stefanko
23 Nov 2022 - 11:30AM

SIGN UP TO RECEIVE AN EMAIL UPDATE WHENEVER A NEW ARTICLE IS PUBLISHED IN OUR
UKRAINE CRISIS – DIGITAL SECURITY RESOURCE CENTER

Submit

NEWSLETTER

Submit

www.welivesecurity.com Open in urlscan Pro 2606:2800:233:1cb7:261b:1f9c:2074:3c Public Scan

Form analysis 5 forms found in the DOM

GET https://www.welivesecurity.com/

GET https://www.welivesecurity.com/

GET https://www.welivesecurity.com/

POST https://enjoy.eset.com/pub/rf

POST https://enjoy.eset.com/pub/rf

Text Content

www.welivesecurity.com Open in urlscan Pro
2606:2800:233:1cb7:261b:1f9c:2074:3c Public Scan

Form analysis
5 forms found in the DOM