The Bahamut group was found targeting Android users in a campaign active since January this year. Malicious apps were sent to unsuspecting users looking for VPN websites. The group imitated legitimate apps such as SecureVPN.
The hacker collective transfers sensitive user data in this scam, including call logs, recorded phone calls, contacts, SMS messages, and location. And also imitates messaging apps such as WhatsApp, Facebook Messenger, Viber, Signal, imo-international calls and chat, Conion, and Telegram on Android devices. Moreover, this spyware can also actively spy on chat, a ESET researchers reported.
Researchers confirmed that these malicious VPN apps didn’t appear on Google Play for downloads. However, they found nearly eight versions of the spyware available on a fake SecureVPN website. The fake websites distribute trojanized versions of otherwise legitimate apps called SoftVPN and OpenVPN.
The spyware posing as VPN apps exfiltrate system data using the keylogging functionality, which records a user’s key as they type to know their login credentials. The malware is enabled with this feature, also called keystroke logging or keyboard capturing. Some anti-virus applications can detect having a keylogger on their device; however, it has to be active and not disabled by the user.
Details of samples collected in the SoftVPN and OpenVPN scam
One of the sample IP addresses associated with the cyberattacks was geolocated to Singapore. The website that offered the malicious app was thesecurevpn[.]com. The spoofed SecureVPN website was made to resemble the original using free web templates and required minor edits before publishing. Cyble research noted similarities in the SecureVPN sample and the samples from the SecureChat campaign because of the similarity in coding, storing sensitive data in local databases, and similarities in SQL queries. The SecureChat campaign also involved spying and stealing sensitive data from Android devices.
Some of the servers the researchers could fetch are as follows:
- secureVPN_104.apk,
- SecureVPN_105.apk,
- SecureVPN_106.apk,
- SecureVPN_107.apk,
- SecureVPN_108.apk,
- SecureVPN_109.apk,
- SecureVPN_1010.apk, and
- secureVPN_1010b.apk
Bahamut group and fake VPN apps
According to ESET researchers, the Bahamut group stopped patching legitimate SoftVPN and OpenVPN apps with malicious codes and switched to their spoofed versions because the original ones stopped responding in an intended way.
The Bahamut group has been in cybersecurity news since 2017, when it was spotted and named by internet surveillance researcher Collin Anderson. In October 2017, this group conducted cyber espionage in the Middle East and South Asia. Cyble research noted the more recent phishing activities in June 2022, wherein a new variant of Bahamut Android malware was used for phishing.
It was done by creating masked phishing sites for downloading messaging applications. Cyble researchers noted that the phishing sites looked well-designed and professionally made, making it easier to win users’ trust. Since the cyberespionage group is mainly known for launching spear phishing messages, it can be concluded that they research their target to lure them with fake apps.
This group also acts as a mercenary, as it offers hack-for-hire services to cybercriminals for help with hacking. The name Bahamut comes from the enormous fish in the Arabian Sea, as depicted in the Book of Imaginary Beings by Jorge Luis Borges.