Cyble-Bahamut-Returns-Spyware

Bahamut Android Malware returns with New Spying Capabilities

Android Spyware Distributed Via Phishing Campaigns

Bahamut is a well-known Advanced Persistent Threat (APT) group that was first discovered in 2017. The Bahamut group was involved in various phishing campaigns that were delivering malware targeting the Middle East and South Asia.

Cyble Research Labs has been closely monitoring the activities of the Bahamut group. In August 2021, Cyble released a blog on Bahamut Android Spyware, distributed through a phishing campaign impersonating Jamaat official sites.

The Bahamut group plans their attack on the target, stays in the wild for a while, allows their attack to affect many individuals and organizations, and finally steals their data.

After their previous attack, the Threat Actors (TAs) behind Bahamut stayed silent for about a year and came back with a new strategy for their current campaign. The group has continuously kept changing its mode of attack, and in the past few years, it is increasingly shifting its focus to targeting mobile devices.

During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher mentioned a variant of Android malware, which is Bahamut Android Spyware.

After about a year of silence, a new variant of Bahamut Android malware was spotted in the wild in April 2022, being distributed via phishing sites. The phishing sites were masked as genuine websites for downloading a messaging application that provides secure communication.

Figure 1 – Phishing site which distributes malware

The phishing site is well-designed and looks professional. The TA has also mentioned the features provided by the application, the Contact Us page, and the Subscribe page, as shown in the below figure. The TAs added these features to the site to make it appear more genuine.

Figure 2 – Features listed on phishing sites to look legitimate

This indicates that the TA has invested time in developing a well-designed phishing website to attract the victim to download the malware.

Along with the secure chat phishing website, we have observed that Bahamut Spyware is being distributed through obscene sites “hxxps://www[.]iminglechat[.]de”.

While comparing the old and new variants of Bahamut Android Spyware, we observed that the TA has modified their code in the new variant and added extra modules specifically targeting messaging applications such as Viber, Imo, Signal, Telegram, and many more, wherein the old variant of the malicious app was collecting only Personally Identifiable Information (PII) such as contacts, SMS data, call logs, etc. 

The below image showcases the comparison and the extra module added to collect information from different messaging apps.

Figure 3 – Comparison of the old and new variants of Bahamut

Technical Analysis

APK Metadata Information   

  • App Name: Chat Services
  • Package Name: com.chat.services
  • SHA256 Hash: 1084b7ff4758b5d13dcfc4f9167b16e6b834bfff2032b540e74959ceb18a5b1e

   

Figure 4 shows the metadata information of the application.  

Figure 4 – App Metadata Information 

Manifest Description 

The malicious application mentions 24 permissions, of which the TA exploits 9. The harmful permissions requested by the malware are:  

Permission  Description 
CAMERARequired to access the camera device.
READ_SMSAccess phone messages
RECORD_AUDIOAllows the app to record audio with the microphone, which the attackers can misuse
READ_CONTACTSAccess phone contacts
READ_CALL_LOGAccess phone call logs
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage
RECEIVE_SMSAllows an application to receive SMS messages
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device
SYSTEM_ALERT_WINDOWAllows the app to draw on top of other applications

Source Code Review  

Installing the malware prompts the user to enable a few permissions and Accessibility Service. Once the victim grants these permissions, the malware abuses the Accessibility Service to fetch data from the targeted messaging applications.

Figure 5 – Accessibility Service

The malware then checks for the targeted application’s package name. It uses the Accessibility API to fetch text from the current screen and stores it in a local database, as shown below.

Figure 6 – Fetching data from the targeted applications

Below is the list of messaging applications targeted by the malware to collect the data:

  • com.viber.voip
  • com.protectedtext.android
  • com.facebook.orca
  • com.imo.android.imoim
  • org.telegram.messenger
  • com.whatsapp
  • com.secapp.tor.conion
  • org.thoughtcrime.securesms

After collecting data from these messaging apps, the malware sends the stolen data to Command and Control (C&C) server. The code present in the below image depicts the same.

Figure 7 – Malware sending stolen information to the C&C server

Along with collecting the data from messaging applications, the malware executes the below spyware activities:

  • Collects contact information: The malware steals the contact data saved on the victim’s device and sends it to the C&C server.
Figure 8 – Malware collecting contact data

  • Collects SMS and call log data: The malware has a code to collect the SMS and call log information from the victim’s device.
Figure 9 – Collecting SMS and call log information

  • Collects files and basic device information: The malware collects the local files stored on the victim’s device along with the basic information about the device such as model, device ID, version, SIM operator, etc.
Figure 10 – Collecting files and basic device information

The figure below shows the C&C server and endpoints used by the malware to send the stolen data.

Figure 11 – C&C server and endpoints

Conclusion 

Recently many malware families and APT groups have been observed in the wild attacking specific targets and performing malicious activities, then disappearing for some time. Bahamut malware follows the same cybercrime footprint.

Bahamut malware was initially observed last year with sophisticated spying capabilities, and interestingly, it has reappeared with new additional code which collects messaging applications data used by the victim. The agenda behind the malware distribution is very clear – to spy on the targeted entity.

Over the next few years, we may observe a change in the activities of the Bahamut APT group, with different targets, enhanced techniques, and distribution modes. 

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection? 

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

How to identify whether you are infected? 

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. 
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. 

What to do when you are infected? 

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data. 
  • Perform a factory reset. 
  • Remove the application in case a factory reset is not possible. 
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset. 

What to do in case of any fraudulent transaction? 

  • In case of a fraudulent transaction, immediately report it to the concerned bank. 

What should banks do to protect their customers? 

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
CollectionT1412Capture SMS Messages
CollectionT1432Access Contacts List
CollectionT1433Access Call Logs
CollectionT1517Access Notifications
CollectionT1533Data from Local System
CollectionT1429Capture Audio
Command and Control T1571 Non-Standard Port 

Indicators of Compromise (IOCs) 

IndicatorsIndicator TypeDescription
1084b7ff4758b5d13dcfc4f9167b16e6b834bfff2032b540e74959ceb18a5b1eSHA256Hash of the analyzed APK file
44b7cd8d1078a619356d5408bcf9d325d246ec26SHA1Hash of the analyzed APK file 
45fa889f3524683b030db4ad3d43de63MD5Hash of the analyzed APK file
hxxps://gkcx6ye4t4zafw8ju2xdr5na5[.]deURLC&C server
d11451503cbd5d0283450316289b0d6027033647cb92dd7bbce1e4d62b186697SHA256Hash of the analyzed APK file
db2b2d2d43064b2a5300c811d635dbf673599b0cSHA1Hash of the analyzed APK file 
eaa3b40142cad5b3a8426e2e0179b111MD5Hash of the analyzed APK file
hxxps://5iw68rugwfcir37uj8z3r6rfaxwd8g8cdcfcqw62[.]deURLC&C server
hxxps://www[.]securechatnow[.]com/URLMalware distribution site
hxxps://www[.]iminglechat[.]deURLMalware distribution site
5cd30ccebdd87fb1ea8f3a8995fc81b5b78e17ccc0f145703b5bd4da1ec22e66SHA256Hash of the analyzed APK file
fb63cfb371dbb79fde2f2b2835bb0edba4b5e5a6SHA1Hash of the analyzed APK file 
f4bfbcce73cd11051fc259a7811d2245MD5Hash of the analyzed APK file
Scroll to Top