![]() The name was given to this threat actor, which appears to be a master in phishing, by the Bellingcat investigative journalism group. Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients. Bahamut specializes in cyberespionage, and we believe that its goal is to steal sensitive information from its victims. The Bahamut APT group typically targets entities and individuals in the Middle East and South Asia with spearphishing messages and fake applications as the initial attack vector. The campaign appears to be highly targeted, as we see no instances in our telemetry data. It can also actively spy on chat messages exchanged through very popular messaging apps including Signal, Viber, WhatsApp, Telegram, and Facebook Messenger the data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services. The malware is able to exfiltrate sensitive data such as contacts, SMS messages, call logs, device location, and recorded phone calls. These malicious apps were never available for download from Google Play. The malware is distributed through a fake SecureVPN website as trojanized versions of two legitimate apps – SoftVPN and OpenVPN. We do not know the initial distribution vector (email, social media, messaging apps, SMS, etc.).ĮSET researchers discovered at least eight versions of the Bahamut spyware.Both the activation key and website link are likely sent to targeted users. We believe that targets are carefully chosen, since once the Bahamut spyware is launched, it requests an activation key before the VPN and spyware functionality can be enabled.The main purpose of the app modifications is to extract sensitive user data and actively spy on victims’ messaging apps.We were able to identify at least eight versions of these maliciously patched apps with code changes and updates being made available through the distribution website, which might mean that the campaign is well maintained.The app used has at different times been a trojanized version of one of two legitimate VPN apps, SoftVPN or OpenVPN, which have been repackaged with Bahamut spyware code that the Bahamut group has used in the past. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |