The cyber espionage group generally known as Bahamut has been attributed as behind a extremely focused marketing campaign that infects customers of Android gadgets with malicious apps designed to extract delicate info.
The exercise, which has been lively since January 2022, entails distributing rogue VPN apps by way of a faux SecureVPN web site arrange for this function, Slovak cybersecurity agency ESET stated in a brand new report shared with The Hacker News.
At least eight completely different variants of the spy ware apps have been found up to now, with them being trojanized variations of professional VPN apps like SoftVPN and OpenVPN. None of those apps can be found on Google Play Store.
The tampered apps and their updates are pushed to customers by way of the fraudulent web site. It’s additionally suspected that the targets are rigorously chosen, since launching the app requires the sufferer to enter an activation key to allow the options.
This implies the usage of an undetermined distribution vector, though previous proof exhibits that it may take the type of spear-phishing emails, SMS messages, or direct messages on social media apps.
The activation key mechanism can also be designed to speak with an actor-controlled server, successfully stopping the malware from being by accident triggered proper after launch on a non-targeted consumer gadget.
Bahamut was unmasked in 2017 by Bellingcat as a hack-for-hire operation focusing on authorities officers, human rights teams, and different high-profile entities in South Asia and the Middle East with malicious Android and iOS apps to spy on its victims.
“Perhaps essentially the most distinctive side of Bahamut’s tradecraft […] is the group’s use of unique, painstakingly crafted web sites, functions, and personas,” Canadian cybersecurity firm BlackBerry famous in October 2020.
Earlier this yr, Cyble detailed two units of phishing assaults orchestrated by the group to push counterfeit Android apps masquerading as chat functions.
The newest wave follows the same trajectory, tricking customers into putting in seemingly innocuous VPN apps that may exfiltrate a large swathe of data, together with recordsdata, contact lists, SMSes, telephone name recordings, areas, and messages from WhatsApp, Facebook Messenger, Signal, Viber, Telegram, and WeChat.
“The knowledge exfiltration is completed through the keylogging performance of the malware, which misuses accessibility companies,” ESET researcher Lukáš Štefanko stated.
In an indication that the marketing campaign is properly maintained, the menace actor initially packaged the malicious code throughout the SoftVPN software, earlier than transferring to OpenVPN, a shift defined by the truth that the precise SoftVPN app stopped functioning and it was not doable to ascertain a VPN connection.
“The cellular marketing campaign operated by the Bahamut APT group continues to be lively; it makes use of the identical technique of distributing its Android spy ware apps through web sites that impersonate or masquerade as professional companies, as has been seen previously,” Štefanko added.