BlackBerry exposes threat actor group BAHAMUT: Cyberespionage, phishing and other APTs
What do cybercrime, fake news, the Middle East/South Asia and a dragon from the Final Fantasy or the Dungeons & Dragons series all have in common? The answer is an advanced persistent threat (APT) group named BAHAMUT. However, instead of being a political slur or an imagined beast you can encounter during your quests, BAHAMUT is a focused, innovative, patient and evasive threat group that concentrates its attacks on the Middle East and South Asia. Recently, BlackBerry published a report called BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News and Fake Apps, which will be referred to as the report.
Hands-on threat intel training
What is BAHAMUT?
Described as both sophisticated and staggering regarding the scope of its malicious activities, BAHAMUT is responsible for a variety of extremely targeted attacks and a variety of unsolved cases that have remained open for years. To give a better idea of the wide range of malicious campaigns that BAHAMUT has been responsible for, below are some of the group’s capabilities:
- Zero-day exploits
- Extremely elaborate and targeted phishing campaigns
- Credential harvesting campaigns
- New Windows malware
- Anti-forensic tactics
- Antivirus (AV) evasion
BAHAMUT uses above-average security, top-notch evasion tactics and a lack of discernible motive or pattern of its activities, making it a particularly difficult attack group to pin down. This has led researchers to categorize BAHAMUT as a hack-for-hire group. Recently, the group has increasingly targeted mobile devices and applications.
Patience is a virtue, and BAHAMUT has taken to this saying. It has been known to wait a year or more before making a malicious move on a target. The distinctive characteristics of BAHAMUT do not stop at this high-level observation.
The most distinctive aspect of BAHAMUT is that the group deceives targets with a concerted fake news effort using meticulously crafted and novel websites, applications and personas. One observation was that BAHAMUT hijacked an information security news website domain and pushed out research, geopolitics and industry-related news about other attack groups. This elaborate scheme included fake contributors, use of photos of legitimate journalists and even fake social media accounts to make the news outlet come across as legitimate.
The list of sites BAHAMUT has taken over spans a wide range of interests from news, to information security to fitness. However, aside from this observation, others are more targeted and focus on specific topics related to the area of the world that the group operates in. One such example is the focus that the group has on Sikh political groups and hot-button political issues such as the Sikh Referendum of 2020.
BAHAMUT’s targeting
BAHAMUT focuses on individuals instead of organizations and has a particular concentration on political, economic and social spheres in the Middle East and South Asia. Historical targets of note are below:
- Individuals in Sikh political groups within India
- Websites focused on political issues such as the Sikh Referendum of 2020 in India
- Turkish government officials
- People connected to politicians in Qatar
- UAE diplomats
- Turkish minister of foreign affairs
- The Turkish delegate to UNESCO
Phishing
According to the report, BAHAMUT is head and shoulders above other hack-for-hire organizations. This is attributed to the group’s speed, their ability to change or adapt rapidly and the group’s highly compartmentalized and single-use infrastructure. Another reason for its adeptness in phishing is BAHAMUT’s highly tuned credential harvesting system that focuses on very specific targets. This group can also learn from their mistakes quickly, which makes their phishing tactics even more successful. Throw in the group’s in-depth research it does on its targets and you have an APT with one of the most sophisticated phishing abilities in the world.
Mobile applications
BAHAMUT is also a step beyond competent when it comes to creating malicious mobile applications. It goes the extra mile compared to other APTs and creates well-thought-out and professional-looking websites that have been described in the report as “impressive.” Their websites contain clearly written terms of service and well-defined privacy policies which other APTs wouldn’t bother investing the time or effort into. It is this extra measure of effort that seems to be the underlying trend with BAHAMUT.
BAHAMUT is responsible for a campaign called Operation Bull where the group uploaded several mobile applications to the Google Play Store which managed to bypass the app store’s static code safeguards. These applications were still available in the Google Play store as of July 2020:
- https://play.google[.]com/store/apps/details?id=com.callrecording.recorder
- https://play.google[.]com/store/apps/details?id=ramadan.com.ramadan
- https://play.google[.]com/store/apps/details?id=com.realmusic
- https://play.google[.]com/store/apps/details?id=com.musicupnew
- https://play.google[.]com/store/apps/details?id=com.hdmediaplayer
According to the report, BAHAMUT’s Android Package Kits (APKs) have several modifications, with most having almost no detection in a well-known malware repository. BlackBerry discovered that these APK files were typically made up of legitimate code as well as commonly used Android libraries. This gives their mobile application operations the necessary veneer of legitimacy to fly under the radar.
Other findings
- BAHAMUT employs at least one zero-day developer exhibiting a skill-level above and beyond other APTs
- The wide range of tactics, tools and targets led BlackBerry to conclude BAHAMUT is well-resourced, well-funded and capable of high-level security research
- The group is behind some well-researched exploits with different names, such as EHDEVEL, URPAGE, WINDSHIFT and THE WHITE COMPANY
A powerful beast made real
BAHAMUT may share its name with a mythical fish or dragon, but there is nothing make-believe about this APT. This group focuses its efforts on cyberespionage and phishing, with a focus on mobile applications, and it buttresses its efforts with a very responsive group of operators that have no problem changing their next steps based upon existing data. The group is also renowned for investing a painstaking amount of time and effort into making its operations appear legitimate, above and beyond other attack groups. These differences put BAHAMUT above the rest.
Sources
- BlackBerry Uncovers Massive Hack-For-Hire Group Targeting Governments, Businesses, Human Rights Groups and Influential Individuals. BlackBerry ThreatVector Bog.
- BAHAMUT: Hack-For-Hire Masters of Phishing, Fake News, and Fake Apps. BlackBerry Report.