Go to listing page

Bahamut Group Creates Fake VPN Apps For Highly Targeted Attacks

Bahamut Group Creates Fake VPN Apps For Highly Targeted Attacks
A cyber mercenary group Bahamut is conducting an active campaign to target Android users. It is distributing malicious apps through a fake SecureVPN website that provides only Android apps to download.

About the campaign

ESET researchers discovered at least eight versions of maliciously apps that have been repackaged with Bahamut spyware code. The initial distribution vector is unknown.
  • Since January, these apps are being distributed through a fake SecureVPN website to deliver malware, however, these apps have never been available for download at the Google Play Store.
  • Bahamut placed malicious code into two different legitimate VPN apps: SoftVPN and OpenVPN. Fake SecureVPN requests an activation key before enabling VPN and spyware functions that prevent dynamic malware analysis sandboxes to flag it as a malicious app.
  • The group shifted from SoftVPN to OpenVPN as SoftVPN stopped working or being maintained and was no longer able to create VPN connections. The actor ensured that the apps would provide VPN functionality while exfiltrating data from the victim’s device.

Motive 

The code of these apps is updated to extract sensitive user data and actively spy on victims’ messaging apps. Bahamut misuses accessibility services for data exfiltration via the keylogging functionality.
  • The exfiltrated data includes contacts, SMS messages, call logs, a list of installed apps, device location, device accounts, device info, recorded phone calls, and a list of files on external storage.
  • It can steal notes from the SafeNotes application and actively spy on chat messages and information about calls from popular messaging apps such as Signal, Viber, WhatsApp, Telegram, and Facebook Messenger.

Campaign attribution

Researchers found similarities between codes and SQL queries of fake SecureVPN packages and previously seen SecureChat campaign packages. Cyble and CoreSec360 researchers attributed the SecureChat campaign to the Bahamut group.

Conclusion

In the latest campaign, Bahamut is trying to keep a low profile through highly targeted distribution. The group provides hack-for-hire services and distributes its Android spyware apps via websites that impersonate or masquerade as legitimate services. VPN service impersonation is an addition to its capabilities, which makes it a dreadful actor.
Cyware Publisher

Publisher

Cyware