ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group. This campaign has been active since January 2022 and malicious apps are distributed through a fake SecureVPN website that provides only Android apps to download. Note that although the malware employed throughout this campaign uses the name SecureVPN, it has no association whatsoever with the legitimate, multiplatform SecureVPN software and service.
Key points of this blogpost:
- The app used has at different times been a trojanized version of one of two legitimate VPN apps, SoftVPN or OpenVPN, which have been repackaged with Bahamut spyware code that the Bahamut group has used in the past.
- We were able to identify at least eight versions of these maliciously patched apps with code changes and updates being made available through the distribution website, which might mean that the campaign is well maintained.
- The main purpose of the app modifications is to extract sensitive user data and actively spy on victims’ messaging apps.
- We believe that targets are carefully chosen, since once the Bahamut spyware is launched, it requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users.
- We do not know the initial distribution vector (email, social media, messaging apps, SMS, etc.).
ESET researchers discovered at least eight versions of the Bahamut spyware. The malware is distributed through a fake SecureVPN website as trojanized versions of two legitimate apps – SoftVPN and OpenVPN. These malicious apps were never available for download from Google Play.
The malware is able to exfiltrate sensitive data such as contacts, SMS messages, call logs, device location, and recorded phone calls. It can also actively spy on chat messages exchanged through very popular messaging apps including Signal, Viber, WhatsApp, Telegram, and Facebook Messenger; the data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services. The campaign appears to be highly targeted, as we see no instances in our telemetry data.
Bahamut overview
The Bahamut APT group typically targets entities and individuals in the Middle East and South Asia with spearphishing messages and fake applications as the initial attack vector. Bahamut specializes in cyberespionage, and we believe that its goal is to steal sensitive information from its victims. Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients. The name was given to this threat actor, which appears to be a master in phishing, by the Bellingcat investigative journalism group. Bellingcat named the group after the enormous fish floating in the vast Arabian Sea mentioned in the Book of Imaginary Beings written by Jorge Luis Borges. Bahamut is frequently described in Arabic mythology as an unimaginably enormous fish.
The group has been the subject of several publications in recent years, including:
- 2017 – Bellingcat [1][2]
- 2018 – Talos [1][2]
- 2018 – Trend Micro
- 2020 – BlackBerry [pdf]
- 2020 – SonicWall
- 2021 – 打假的Hunter
- 2021 – Cyble
- 2022 – CoreSec360
- 2022 – Cyble
Distribution
The initial fake SecureVPN app we analyzed was uploaded to VirusTotal on 2022-03-17, from an IP address that geolocates to Singapore, along with a link to a fake website that triggered one of our YARA rules.
At the same time, we were notified on Twitter via DM from @malwrhunterteam about the same sample.
The malicious Android application used in this campaign was delivered via the website thesecurevpn[.]com (see Figure 1), which uses the name – but none of the content or styling – of the legitimate SecureVPN service (at the domain securevpn.com).
This fake SecureVPN website was created based on a free web template (see Figure 2), which was most likely used by the threat actor as an inspiration, since it required only small changes and looks trustworthy.
thesecurevpn[.]com was registered on 2022-01-27; however, the time of initial distribution of the fake SecureVPN app is unknown. The malicious app is provided directly from the website and has never been available at the Google Play store.
Attribution
Malicious code in the fake SecureVPN sample was seen in the SecureChat campaign documented by Cyble and CoreSec360. We have seen this code being used only in campaigns conducted by Bahamut; similarities to those campaigns include storing sensitive information in a local database before uploading it to the C&C server. The amount of data stored in these databases probably depends on the campaign. In Figure 3 you can see malicious package classes from this variant compared to a previous sample of Bahamut code.
Comparing Figure 4 and Figure 5, you can see the similarities in SQL queries in the earlier SecureChat malware, attributed to Bahamut, and the fake SecureVPN malware.
As such, we believe that the fake SecureVPN application is linked to the Bahamut group.
Analysis
Since the distribution website has been online, there have been at least eight versions of the Bahamut spyware available for download. These versions were created by the threat actor, where the fake application name was followed by the version number. We were able to pull the following versions from the server, where we believe the version with the lowest version suffix was provided to potential victims in the past, while more recently higher version numbers (secureVPN_104.apk, SecureVPN_105.apk, SecureVPN_106.apk, SecureVPN_107.apk, SecureVPN_108.apk, SecureVPN_109.apk, SecureVPN_1010.apk, secureVPN_1010b.apk) have been used.
We divide these versions into two branches, since Bahamut’s malicious code was placed into two different legitimate VPN apps.
In the first branch, from version secureVPN_104 until secureVPN_108, malicious code was inserted into the legitimate SoftVPN application that can be found on Google Play and uses the unique package name com.secure.vpn. This package name is also visible in the PARENT_APPLICATION_ID value in the version information found in the decompiled source code of the first fake SecureVPN app branch, as seen in Figure 6.
In the second branch, from version secureVPN_109 until secureVPN_1010b, malicious code was inserted into the legitimate open-source application OpenVPN, which is available on Google Play, and that uses the unique package name com.openvpn.secure. As with the trojanized SoftVPN branch, the original app’s package name is also visible in the fake SecureVPN app’s version information, found in the decompiled source code, as seen in Figure 7.
Besides the split in these two branches, where the same malicious code is implanted into two different VPN apps, other fake SecureVPN version updates contained only minor code changes or fixes, with nothing significant considering its overall functionality.
The reason why the threat actor switched from patching SoftVPN to OpenVPN as its parent app is not clear; however, we suspect that the reason might be that the legitimate SoftVPN app stopped working or being maintained and was no longer able to create VPN connections – as confirmed by our testing of the latest SoftVPN app from Google Play. This could be a reason for Bahamut to switch to using OpenVPN, since potential victims might uninstall a non-working VPN app from their devices. Changing one parent app to another likely required more time, resources, and effort to successfully implement by the threat actor.
Malicious code packaged with the OpenVPN app was implemented a layer above the VPN code. That malicious code implements spyware functionality that requests an activation key and then checks the supplied key against the attacker’s C&C server. If the key is successfully entered, the server will return a token that is necessary for successful communication between the Bahamut spyware and its C&C server. If the key is not correct, neither Bahamut spyware nor VPN functionality will be enabled. Unfortunately, without the activation key, dynamic malware analysis sandboxes might not flag it as a malicious app.
In Figure 8 you can see an initial activation key request and in Figure 9 the network traffic behind such a request and the response from the C&C server.
The campaigns using the fake SecureVPN app try to keep a low profile, since the website URL is most likely delivered to potential victims with an activation key, which is not provided on the website. Unfortunately, we were not able to obtain a working key.
The activation key layer does not belong to the original OpenVPN functionality, and we do not recognize it as code from any other legitimate app. We believe it was developed by Bahamut, since it also communicates with their C&C server.
Implementing a layer to protect a payload from being triggered right after launch on a non-targeted user device or when being analyzed is not a unique feature. We already saw similar protection being used in another campaign by the Bahamut group implemented in the SecureChat app analyzed by CoreSec360. That required extra effort by the victim, who had to create an account and log into it, which then enabled the Bahamut spyware functionality. We have also observed comparable protection being used by APT-C-23, where the potential victim needs a valid Coupon Code to download the malicious app.
Functionality
If the Bahamut spyware is enabled, then it can be remotely controlled by Bahamut operators and can exfiltrate various sensitive device data such as:
- contacts,
- SMS messages,
- call logs,
- a list of installed apps,
- device location,
- device accounts,
- device info (type of internet connection, IMEI, IP, SIM serial number),
- recorded phone calls, and
- a list of files on external storage.
By misusing accessibility services, as seen in Figure 10, the malware can steal notes from the SafeNotes application and actively spy on chat messages and information about calls from popular messaging apps such as:
- imo-International Calls & Chat,
- Facebook Messenger,
- Viber,
- Signal Private Messenger,
- WhatsApp,
- Telegram,
- WeChat, and
- Conion apps.
All exfiltrated data is stored in a local database and then sent to the C&C server. The Bahamut spyware functionality includes the ability to update the app by receiving a link to a new version from the C&C server.
Conclusion
The mobile campaign operated by the Bahamut APT group is still active; it uses the same method of distributing its Android spyware apps via websites that impersonate or masquerade as legitimate services, as has been seen in the past. Further, the spyware code, and hence its functionality, is the same as in previous campaigns, including collecting data to be exfiltrated in a local database before sending it to the operators’ server, a tactic rarely seen in mobile cyberespionage apps.
It appears that this campaign has maintained a low profile, as we see no instances in our telemetry data. This is probably achieved through highly targeted distribution, where along with a link to the Bahamut spyware, the potential victim is supplied an activation key, which is required to enable the malware’s spying functionality.
IoCs
Files
SHA-1 | Package name | ESET detection name | Description |
---|---|---|---|
3144B187EDF4309263FF0BCFD02C6542704145B1 | com.openvpn.secure | Android/Spy.Bahamut.M | OpenVPN app repackaged with Bahamut spyware code. |
2FBDC11613A065AFBBF36A66E8F17C0D802F8347 | com.openvpn.secure | Android/Spy.Bahamut.M | OpenVPN app repackaged with Bahamut spyware code. |
2E40F7FD49FA8538879F90A85300247FBF2F8F67 | com.secure.vpn | Android/Spy.Bahamut.M | SoftVPN app repackaged with Bahamut spyware code. |
1A9371B8AEAD5BA7D309AEBE4BFFB86B23E38229 | com.secure.vpn | Android/Spy.Bahamut.M | SoftVPN app repackaged with Bahamut spyware code. |
976CC12B71805F4E8E49DCA232E95E00432C1778 | com.secure.vpn | Android/Spy.Bahamut.M | SoftVPN app repackaged with Bahamut spyware code. |
B54FFF5A7F0A279040A4499D5AABCE41EA1840FB | com.secure.vpn | Android/Spy.Bahamut.M | SoftVPN app repackaged with Bahamut spyware code. |
C74B006BADBB3844843609DD5811AB2CEF16D63B | com.secure.vpn | Android/Spy.Bahamut.M | SoftVPN app repackaged with Bahamut spyware code. |
4F05482E93825E6A40AF3DFE45F6226A044D8635 | com.openvpn.secure | Android/Spy.Bahamut.M | OpenVPN app repackaged with Bahamut spyware code. |
79BD0BDFDC3645531C6285C3EB7C24CD0D6B0FAF | com.openvpn.secure | Android/Spy.Bahamut.M | OpenVPN app repackaged with Bahamut spyware code. |
7C49C8A34D1D032606A5E9CDDEBB33AAC86CE4A6 | com.openvpn.secure | Android/Spy.Bahamut.M | OpenVPN app repackaged with Bahamut spyware code. |
Network
IP | Domain | First seen | Details |
---|---|---|---|
104.21.10[.]79 | ft8hua063okwfdcu21pw[.]de | 2022-03-20 | C&C server |
172.67.185[.]54 | thesecurevpn[.]com | 2022-02-23 | Distribution website |
MITRE ATT&CK techniques
This table was built using version 11 of the ATT&CK framework.
Tactic | ID | Name | Description |
---|---|---|---|
Persistence | T1398 | Boot or Logon Initialization Scripts | Bahamut spyware receives the BOOT_COMPLETED broadcast intent to activate at device startup. |
T1624 | Event Triggered Execution | Bahamut spyware uses Observers to be informed about changes in SMS, contacts, and calls. | |
Defense Evasion | T1627 | Execution Guardrails | Bahamut spyware won’t run unless a valid activation key is provided at app startup. |
Discovery | T1420 | File and Directory Discovery | Bahamut spyware can list available files on external storage. |
T1418 | Software Discovery | Bahamut spyware can obtain a list of installed applications. | |
T1426 | System Information Discovery | Bahamut spyware can extract information about the device including type of internet connection, IMEI, IP address, and SIM serial number. | |
Collection | T1417.001 | Input Capture: Keylogging | Bahamut spyware logs keystrokes in chat messages and call information from targeted apps. |
T1430 | Location Tracking | Bahamut spyware tracks device location. | |
T1429 | Audio Capture | Bahamut spyware can record phone calls. | |
T1532 | Archive Collected Data | Bahamut spyware stores collected data in a database prior to exfiltration. | |
T1636.002 | Protected User Data: Call Logs | Bahamut spyware can extract call logs. | |
T1636.003 | Protected User Data: Contact List | Bahamut spyware can extract the contact list. | |
T1636.004 | Protected User Data: SMS Messages | Bahamut spyware can extract SMS messages. | |
Command and Control | T1437.001 | Application Layer Protocol: Web Protocols | Bahamut spyware uses HTTPS to communicate with its C&C server. |
Exfiltration | T1646 | Exfiltration Over C2 Channel | Bahamut spyware exfiltrates stolen data over its C&C channel. |