Malicious apps used in this active campaign exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as Signal, Viber, and Telegram
ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group. This campaign has been active since January 2022 and malicious apps are distributed through a fake SecureVPN website that provides only Android apps to download. Note that although the malware employed throughout this campaign uses the name SecureVPN, it has no association whatsoever with the legitimate, multiplatform SecureVPN software and service.
ESET researchers discovered at least eight versions of the Bahamut spyware. The malware is distributed through a fake SecureVPN website as trojanized versions of two legitimate apps – SoftVPN and OpenVPN. These malicious apps were never available for download from Google Play.
The malware is able to exfiltrate sensitive data such as contacts, SMS messages, call logs, device location, and recorded phone calls. It can also actively spy on chat messages exchanged through very popular messaging apps including Signal, Viber, WhatsApp, Telegram, and Facebook Messenger; the data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services. The campaign appears to be highly targeted, as we see no instances in our telemetry data.
The Bahamut APT group typically targets entities and individuals in the Middle East and South Asia with spearphishing messages and fake applications as the initial attack vector. Bahamut specializes in cyberespionage, and we believe that its goal is to steal sensitive information from its victims. Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients. The name was given to this threat actor, which appears to be a master in phishing, by the Bellingcat investigative journalism group. Bellingcat named the group after the enormous fish floating in the vast Arabian Sea mentioned in the Book of Imaginary Beings written by Jorge Luis Borges. Bahamut is frequently described in Arabic mythology as an unimaginably enormous fish.
The group has been the subject of several publications in recent years, including:
The initial fake SecureVPN app we analyzed was uploaded to VirusTotal on 2022-03-17, from an IP address that geolocates to Singapore, along with a link to a fake website that triggered one of our YARA rules.
At the same time, we were notified on Twitter via DM from @malwrhunterteam about the same sample.
The malicious Android application used in this campaign was delivered via the website thesecurevpn[.]com (see Figure 1), which uses the name – but none of the content or styling – of the legitimate SecureVPN service (at the domain securevpn.com).
Figure 1. Fake SecureVPN website provides a trojanized app to download
This fake SecureVPN website was created based on a free web template (see Figure 2), which was most likely used by the threat actor as an inspiration, since it required only small changes and looks trustworthy.
Figure 2. Free website template used to create the distribution website for the fake VPN app
thesecurevpn[.]com was registered on 2022-01-27; however, the time of initial distribution of the fake SecureVPN app is unknown. The malicious app is provided directly from the website and has never been available at the Google Play store.
Malicious code in the fake SecureVPN sample was seen in the SecureChat campaign documented by Cyble and CoreSec360. We have seen this code being used only in campaigns conducted by Bahamut; similarities to those campaigns include storing sensitive information in a local database before uploading it to the C&C server. The amount of data stored in these databases probably depends on the campaign. In Figure 3 you can see malicious package classes from this variant compared to a previous sample of Bahamut code.
Figure 3. Class name comparison between the earlier malicious SecureChat package (left) and fake SecureVPN package (right)
Comparing Figure 4 and Figure 5, you can see the similarities in SQL queries in the earlier SecureChat malware, attributed to Bahamut, and the fake SecureVPN malware.
Figure 4. The SQL queries used in malicious code from the earlier SecureChat campaign
Figure 5. The SQL queries used in malicious code in the fake SecureVPN campaign
As such, we believe that the fake SecureVPN application is linked to the Bahamut group.
Since the distribution website has been online, there have been at least eight versions of the Bahamut spyware available for download. These versions were created by the threat actor, where the fake application name was followed by the version number. We were able to pull the following versions from the server, where we believe the version with the lowest version suffix was provided to potential victims in the past, while more recently higher version numbers (secureVPN_104.apk, SecureVPN_105.apk, SecureVPN_106.apk, SecureVPN_107.apk, SecureVPN_108.apk, SecureVPN_109.apk, SecureVPN_1010.apk, secureVPN_1010b.apk) have been used.
We divide these versions into two branches, since Bahamut’s malicious code was placed into two different legitimate VPN apps.
In the first branch, from version secureVPN_104 until secureVPN_108, malicious code was inserted into the legitimate SoftVPN application that can be found on Google Play and uses the unique package name com.secure.vpn. This package name is also visible in the PARENT_APPLICATION_ID value in the version information found in the decompiled source code of the first fake SecureVPN app branch, as seen in Figure 6.
Figure 6. Fake SecureVPN v1.0.4 with malicious code included into SoftVPN as parent application
In the second branch, from version secureVPN_109 until secureVPN_1010b, malicious code was inserted into the legitimate open-source application OpenVPN, which is available on Google Play, and that uses the unique package name com.openvpn.secure. As with the trojanized SoftVPN branch, the original app’s package name is also visible in the fake SecureVPN app’s version information, found in the decompiled source code, as seen in Figure 7.
Figure 7. Fake SecureVPN v1.0.9 (SecureVPN_109) with malicious code included into OpenVPN as its parent application even though the hardcoded VERSION_NAME (1.0.0) wasn’t changed between versions
Besides the split in these two branches, where the same malicious code is implanted into two different VPN apps, other fake SecureVPN version updates contained only minor code changes or fixes, with nothing significant considering its overall functionality.
The reason why the threat actor switched from patching SoftVPN to OpenVPN as its parent app is not clear; however, we suspect that the reason might be that the legitimate SoftVPN app stopped working or being maintained and was no longer able to create VPN connections – as confirmed by our testing of the latest SoftVPN app from Google Play. This could be a reason for Bahamut to switch to using OpenVPN, since potential victims might uninstall a non-working VPN app from their devices. Changing one parent app to another likely required more time, resources, and effort to successfully implement by the threat actor.
Malicious code packaged with the OpenVPN app was implemented a layer above the VPN code. That malicious code implements spyware functionality that requests an activation key and then checks the supplied key against the attacker’s C&C server. If the key is successfully entered, the server will return a token that is necessary for successful communication between the Bahamut spyware and its C&C server. If the key is not correct, neither Bahamut spyware nor VPN functionality will be enabled. Unfortunately, without the activation key, dynamic malware analysis sandboxes might not flag it as a malicious app.
In Figure 8 you can see an initial activation key request and in Figure 9 the network traffic behind such a request and the response from the C&C server.
Figure 8. Fake SecureVPN requests activation key before enabling VPN and spyware functions
Figure 9. Fake SecureVPN activation request and its C&C server’s response
The campaigns using the fake SecureVPN app try to keep a low profile, since the website URL is most likely delivered to potential victims with an activation key, which is not provided on the website. Unfortunately, we were not able to obtain a working key.
The activation key layer does not belong to the original OpenVPN functionality, and we do not recognize it as code from any other legitimate app. We believe it was developed by Bahamut, since it also communicates with their C&C server.
Implementing a layer to protect a payload from being triggered right after launch on a non-targeted user device or when being analyzed is not a unique feature. We already saw similar protection being used in another campaign by the Bahamut group implemented in the SecureChat app analyzed by CoreSec360. That required extra effort by the victim, who had to create an account and log into it, which then enabled the Bahamut spyware functionality. We have also observed comparable protection being used by APT-C-23, where the potential victim needs a valid Coupon Code to download the malicious app.
If the Bahamut spyware is enabled, then it can be remotely controlled by Bahamut operators and can exfiltrate various sensitive device data such as:
By misusing accessibility services, as seen in Figure 10, the malware can steal notes from the SafeNotes application and actively spy on chat messages and information about calls from popular messaging apps such as:
Figure 10. Fake SecureVPN request to manually enable Accessibility services
All exfiltrated data is stored in a local database and then sent to the C&C server. The Bahamut spyware functionality includes the ability to update the app by receiving a link to a new version from the C&C server.
The mobile campaign operated by the Bahamut APT group is still active; it uses the same method of distributing its Android spyware apps via websites that impersonate or masquerade as legitimate services, as has been seen in the past. Further, the spyware code, and hence its functionality, is the same as in previous campaigns, including collecting data to be exfiltrated in a local database before sending it to the operators’ server, a tactic rarely seen in mobile cyberespionage apps.
It appears that this campaign has maintained a low profile, as we see no instances in our telemetry data. This is probably achieved through highly targeted distribution, where along with a link to the Bahamut spyware, the potential victim is supplied an activation key, which is required to enable the malware’s spying functionality.
This table was built using version 11 of the ATT&CK framework.
Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…
Post expires at 10:44pm on Thursday February 23rd, 2023