A hack-for-hire group known as Bahamut has been targeting Android users with trojanized versions of legitimate VPN applications, ESET reports.
An advanced persistent threat (APT) actor focused on cyberespionage, Bahamut was initially detailed in 2017, but continues to be active, leveraging a fake online empire of social media personas, websites, and applications, which has allowed it to fly under the radar.
A mercenary group offering hack-for-hire services, Bahamut is known for the targeting of entities in the Middle East and South Asia, mainly via spearphishing and fake applications, with a focus on stealing sensitive information.
Also tracked as Ehdevel, Windshift, Urpage, and The White Company, Bahamut has hit government officials and politicians, human rights entities, organizations in the financial services and technology sectors, journalists, military organizations, scholars, and aerospace entities.
Starting January 2022, the APT has been observed distributing malicious applications for Android via a fake SecureVPN website distributing trojanized versions of SoftVPN and OpenVPN.
Bahamut registered the fake SecureVPN website at the end of January 2022. The fake VPN app targeting Android has been distributed solely via the website, ESET says.
The security firm observed similarities in the malicious code used in this campaign and code from earlier Bahamut attacks, and notes that the delivery technique remains the same.
According to ESET, at least eight versions of the Bahamut spyware have been available for download on the fake website, divided into two branches, as malicious code was inserted into either SoftVPN or OpenVPN, two legitimate applications available via Google Play.
“Besides the split in these two branches, where the same malicious code is implanted into two different VPN apps, other fake SecureVPN version updates contained only minor code changes or fixes, with nothing significant considering its overall functionality,” ESET explains.
The threat actor is believed to have switched from SoftVPN to OpenVPN because SoftVPN stopped working or being maintained, which might have resulted in users uninstalling it.
ESET also points out that the way the malicious code has been injected into the OpenVPN app made it unusable without an activation key (neither the Bahamut spyware nor VPN functionality would work without a correct key).
“Unfortunately, without the activation key, dynamic malware analysis sandboxes might not flag it as a malicious app. The campaigns using the fake SecureVPN app try to keep a low profile, since the website URL is most likely delivered to potential victims with an activation key, which is not provided on the website,” ESET notes.
Once enabled, the Bahamut spyware can exfiltrate sensitive information, including user accounts, contacts, messages, calls, installed apps, device location, external storage information, and recorded calls.
The malware would also spy on applications such as imo-International Calls & Chat, Facebook Messenger, Viber, Signal Private Messenger, WhatsApp, Telegram, WeChat, and Conion apps.