Looks like Bahamut cyber criminal group is still active and resides low with limited or filtered targeting to prevent beging caught in the wild. ESET researcher identified activity of this group since January 2022 where the group targeting android users with a fake SecureVPN application website and the website only provide the android version of the application.
"ESET researchers discovered at least eight versions of the Bahamut spyware. The malware is distributed through a fake SecureVPN website as trojanized versions of two legitimate apps – SoftVPN and OpenVPN. These malicious apps were never available for download from Google Play.
The malware is able to exfiltrate sensitive data such as contacts, SMS messages, call logs, device location, and recorded phone calls. It can also actively spy on chat messages exchanged through very popular messaging apps including Signal, Viber, WhatsApp, Telegram, and Facebook Messenger; the data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services. The campaign appears to be highly targeted, as we see no instances in our telemetry data." ESET said in his report
Current malware application ahs the capability of exfiltrate data like device location, call logs, contact, SMS, a list of installed application, device accounts, recorded phone calls and list of file on external storage also malware misuse the accessibility feature of android which is making this application more powerfull and able to collcet more data like calls and chat, wechat data, whatsapp data, viber data, facebook account data, signal data and telegram data .
Based on the similarities in old Bahamut Secure chat application current SecureVPN application ESET identified that the fake securevpn application linked to Bahamut group.
IoC indicator
| 3144B187EDF4309263FF0BCFD02C6542704145B1 | com.openvpn.secure | Android/Spy.Bahamut.M | OpenVPN app repackaged with Bahamut spyware code. | |||||||||||
| 2FBDC11613A065AFBBF36A66E8F17C0D802F8347 | com.openvpn.secure | Android/Spy.Bahamut.M | OpenVPN app repackaged with Bahamut spyware code. | |||||||||||
| 2E40F7FD49FA8538879F90A85300247FBF2F8F67 | com.secure.vpn | Android/Spy.Bahamut.M | SoftVPN app repackaged with Bahamut spyware code. | |||||||||||
| 1A9371B8AEAD5BA7D309AEBE4BFFB86B23E38229 | com.secure.vpn | Android/Spy.Bahamut.M | SoftVPN app repackaged with Bahamut spyware code. | |||||||||||
| 976CC12B71805F4E8E49DCA232E95E00432C1778 | com.secure.vpn | Android/Spy.Bahamut.M | SoftVPN app repackaged with Bahamut spyware code. | |||||||||||
| B54FFF5A7F0A279040A4499D5AABCE41EA1840FB | com.secure.vpn | Android/Spy.Bahamut.M | SoftVPN app repackaged with Bahamut spyware code. | |||||||||||
| C74B006BADBB3844843609DD5811AB2CEF16D63B | com.secure.vpn | Android/Spy.Bahamut.M | SoftVPN app repackaged with Bahamut spyware code. | |||||||||||
| 4F05482E93825E6A40AF3DFE45F6226A044D8635 | com.openvpn.secure | Android/Spy.Bahamut.M | OpenVPN app repackaged with Bahamut spyware code. | |||||||||||
| 79BD0BDFDC3645531C6285C3EB7C24CD0D6B0FAF | com.openvpn.secure | Android/Spy.Bahamut.M | OpenVPN app repackaged with Bahamut spyware code. | |||||||||||
| 7C49C8A34D1D032606A5E9CDDEBB33AAC86CE4A6 | com.openvpn.secure | Android/Spy.Bahamut.M | OpenVPN app repackaged with Bahamut spyware code. |
| 104.21.10[.]79 | ft8hua063okwfdcu21pw[.]de | 2022-03-20 | C&C server |
| 172.67.185[.]54 | thesecurevpn[.]com | 2022-02-23 | Distribution website |
No comments:
Post a Comment