Cyble-Bahamut-Threat-Group-Phishing-Spyware-Campaign

Bahamut Threat Group Targeting Users Through Phishing Campaign

During Cyble’s routine threat hunting exercise, we came across a Twitter post mentioning a phishing campaign involving a Threat Actor (TA) hosting malicious Android APK files on a counterfeit version of Jamaat websites.

The phishing websites used by the TA are as follows:

  • jamaat-ul-islam[.]com
  • jamatapplication[.]com
  • jamaatforummah[.]com
  • jamaatforallah[.]com

The figure below shows the phishing page.

Figure 1: Phishing page to deliver malware

As per Cyble’s research, this campaign is identical to the Bahamut group. Therefore, it is likely that the Bahamut group is operating under this alias. Bahamut is a threat group targeting the Middle East and South Asia and its attack vectors are phishing campaigns and malware. First noticed in 2017, Bahamut has targeted many individuals and entities.

Our research team has downloaded the samples and conducted a thorough analysis. Based on this, the Cyble Research Lab concluded that the malware is a variant of spyware and uploads the data to a Command & Control (C&C) server. We also observed that the malicious app disguises itself as the Jamaat chat app and the Muslim Youth app.

Technical Analysis

APK Metadata Information

  • App Name: JamaatChat
  • Package Name: com.example.jamaat
  • SHA256 Hash: 9d4e5d46ab3e2bb4b38256960b88ddc7e266d1959fa75d676a0cac5e811ad325
Figure 2: APK Metadata Information

Our initial analysis observed that the TA had hosted the file with different names for the same sample.

The Bahamut malware requests the user for 21 different permissions, of which 14 are dangerous. The dangerous permissions are listed below.

Permission NameDescription
android.permission.READ_CONTACTSAccess to phone contacts
android.permission.READ_EXTERNAL_STORAGEAccess device external storage
android.permission.WRITE_EXTERNAL_STORAGEModify device external storage
android.permission.READ_PHONE_STATE Access phone state and information
android.permission.RECORD_AUDIOAllows to record audio using device microphone
android.permission.ACCESS_COARSE_LOCATIONFetch device location using a mobile network
android.permission.ACCESS_FINE_LOCATIONFetch device location using GPS sensor
android.permission.ACCESS_BACKGROUND_LOCATIONAccess location information in background
android.permission.CALL_PHONEPerform call without user intervention
android.permission.CAMERAAccess device camera hardware
android.permission.READ_CALL_LOGAccess user’s call logs
android.permission.READ_SMSAccess user’s SMSs stored in the device
android.permission.RECEIVE_SMSFetch and process SMS messages
android.permission.WRITE_SETTINGSModify device’s system settings
Table 1: Dangerous permissions

When the user enables these permissions, the malicious app will collect information such as Contacts, SMSs, Call Logs, Audio, etc.

The below figure shows that the app requests permission at the start.

Figure 3: App requests permissions at the start

The Bahamut malware requests the user for Contacts and SMS permissions upon starting the application, among others. Once the victim enables these permissions, the malware initiates background services to collect information. The below figure depicts the code to start background services for collecting data.

Figure 4: Background service for collecting information

The Bahamut malware creates a copy of the device’s contacts, SMS, call logs to the local database, named as tabs_database, in the initial stage. The below figure shows table details of the database.

Figure 5: Code to create the database for storing information

Spyware Activity

  1. Contacts: The spyware extracts all the contacts stored on the device and stores them on a database table user_contacts. The below figure shows the code to collect contacts and store the data in a database table.
Figure 6: Code to collect contacts data
  • SMSs: As the below figure shows, the malware collects SMSs and stores it in a database table named user_sms.
Figure 7: Code to collect SMSs
  • Call Logs: As the below figure shows, the Bahamut malware extracts call log data and stores the data on a database table call_logs.
Figure 8: Code to collect Call Logs
  • Files List: A list of files from device storage is classified as documents, audio, video, images and stored in a database table named as user_files
  • Location: Collects device location information
  • Device Hardware details: Collectsinformation such as IMEI number, IP address, device ID, and phone model.  

The below figure depicts the code to collect device information and location.

Figure 9: Code to collect location and device hardware information

The malware creates listeners for users and device events, such as:

  1. DEVICE BOOT UP
  2. SMS RECEIVED
  3. CALL RECEIVED
  4. WIFI STATE CHANGE
  5. User event/New contact added

The below figure shows the code related to the listener created for CALL RECEIVED event.

Figure 10: Code to listen for a call received event

The Bahamut malware will upload the collected data whenever the afore-mentioned events are triggered on the victim device. The TA has also created a scheduler to upload data which will execute every 4 hours (14400000 milliseconds). The below code shows the listener for the BOOT-UP event which creates a scheduler that executes every 4 hours.

Figure 11: Code to listen for Boot up the event and to create a scheduler

 As the below code shows, initializeSocket() is the function that uploads all the data to the C&C server.

Figure 12: Code used to communicate with the C&C server

For all communication with the C&C server, the fake app uses a framework called Socket.IO, a real-time, bidirectional communication library. In addition, Bahamut malware uses HTTPS protocol to communicate with the C&C server.

C&C server URL: hxxps://h94xnghlldx6a862moj3[.]de

The below figure shows the C&C server IP, which is stored in the application code.

Figure 13: C&C server URL in malware’s code

The application also contains code to emulate a chat application by using the WebView functionality in Android.

Conclusion

According to our research, Bahamut frequently uses phishing pages as an attack vector to deliver malware. In this scenario, the group is targeting users trying to access Jamaat domains with Android Spyware.

To protect yourself from these infections, the user should prefer to install applications from the official Google Play Store. Also, be aware of the threat groups and their attack vectors and take measures accordingly.

Our Recommendations

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

  1. If you find this malware in your device, uninstall it immediately. 
  2. Use the shared IoCs to monitor and block the malware infection. 
  3. Keep your anti-virus software updated to detect and remove malicious software. 
  4. Keep your system and applications updated to the latest versions. 
  5. Use strong passwords and enable two-factor authentication. 
  6. Download and install software only from registered app stores. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Defense EvasionT1406
T1418  
1. Obfuscated Files or Information
2. Application Discovery
Credential AccessT1412
T1517  
1. Capture SMS Messages
2. Access Notifications
DiscoveryT1421
T1422
T1430
T1426
T1424
1. System Network Connections Discovery
2. System Network Configuration Discovery
3. Location Tracking
4. System Information Discovery
5. Process Discovery
CollectionT1432
T1433
T1429
T1507
T1517
1. Access Contact List
2. Access Call Log
3. Capture Audio
4. Network Information Discovery
5. Access Notifications
Command and ControlT1436Commonly Used Port

Indicators of Compromise (IoCs): 

IndicatorsIndicator typeDescription
9d4e5d46ab3e2bb4b38256960b88ddc7e266d1959fa75d676a0cac5e811ad325SHA256Hash of the sample1
c5aa8327dfbca613e487d4075162f667e9ed967ad5d63427f79cb55ec79988b8SHA256Hash of the sample2
4899519c3b0c8ba3c811e88e3f825d84833d05a6d82d64d9bc7e679ecdd36431SHA256Hash of the sample3
7987841d022c799eeb0dbdc9bb656d88720b874353d42d709aa613705dd03597SHA256Hash of the sample5
hxxps://h94xnghlldx6a862moj3[.]deURLC&C Server URL

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

%d bloggers like this: