BlackBerry exposes threat actor group BAHAMUT: Cyberespionage, phishing and other APTs
What do cybercrime, fake news, the Middle East/South Asia and a dragon from the Final Fantasy or the Dungeons & Dragons series all have in common? The answer is an advanced persistent threat (APT) group named BAHAMUT. However, instead of being a political slur or an imagined beast you can encounter during your quests, BAHAMUT is a focused, innovative, patient and evasive threat group that concentrates its attacks on the Middle East and South Asia. Recently, BlackBerry published a report called BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News and Fake Apps, which will be referred to as the report.
Hands-on threat intel training
What is BAHAMUT?
Described as both sophisticated and staggering regarding the scope of its malicious activities, BAHAMUT is responsible for a variety of extremely targeted attacks and a variety of unsolved cases that have remained open for years. To give a better idea of the wide range of malicious campaigns that BAHAMUT has been responsible for, below are some of the group’s capabilities:
- Zero-day exploits
- Extremely elaborate and targeted phishing campaigns
- Credential harvesting campaigns
- New Windows malware
- Anti-forensic tactics
- Antivirus (AV) evasion
BAHAMUT uses above-average security, top-notch evasion tactics and a lack of discernible motive or pattern of its activities, making it a particularly difficult attack group to pin down. This has led researchers to categorize BAHAMUT as a hack-for-hire group. Recently, the group has increasingly targeted mobile devices and applications.
Patience is a virtue, and BAHAMUT has taken to this saying. It has been known to wait a year or more before making a malicious move on a target. The distinctive characteristics of BAHAMUT do not stop at this high-level observation.
The most distinctive aspect of BAHAMUT is that the group deceives targets with a concerted fake news effort using meticulously crafted and novel websites, applications and personas. One observation was that BAHAMUT hijacked an information security news website domain and pushed out research, geopolitics and industry-related news about other attack groups. This elaborate scheme included fake contributors, use of photos of legitimate journalists and even fake social media accounts to make the news outlet come across as legitimate.
The list of sites BAHAMUT has taken over spans a wide range of interests from news, to information security to fitness. However, aside from this observation, others are more targeted and focus on specific topics related to the area of the world that the group operates in. One such example is the focus that the group has on Sikh political groups and hot-button political issues such as the Sikh Referendum of 2020.
BAHAMUT’s targeting
BAHAMUT focuses on individuals instead of organizations and has a particular concentration on political, economic and social spheres in the Middle East and South Asia. Historical targets of note are below:
- Individuals in Sikh political groups within India
- Websites focused on political issues such as the Sikh Referendum of 2020 in India
- Turkish government officials
- People connected to politicians in Qatar
- UAE diplomats
- Turkish minister of foreign affairs
- The Turkish delegate to UNESCO
Phishing
According to the report, BAHAMUT is head and shoulders above other hack-for-hire organizations. This is attributed to the group’s speed, their ability to change or adapt rapidly and the group’s highly compartmentalized and single-use infrastructure. Another reason for its adeptness in phishing is BAHAMUT’s highly tuned credential harvesting system that focuses on very specific targets. This group can also learn from their mistakes quickly, which makes their phishing tactics even more successful. Throw in the group’s in-depth research it does on its targets and you have an APT with one of the most sophisticated phishing abilities in the world.
Mobile applications
BAHAMUT is also a step beyond competent when it comes to creating malicious mobile applications. It goes the extra mile compared to other APTs and creates well-thought-out and professional-looking websites that have been described in the report as “impressive.” Their websites contain clearly written terms of service and well-defined privacy policies which other APTs wouldn’t bother investing the time or effort into. It is this extra measure of effort that seems to be the underlying trend with BAHAMUT.
BAHAMUT is responsible for a campaign called Operation Bull where the group uploaded several mobile applications to the Google Play Store which managed to bypass the app store’s static code safeguards. These applications were still available in the Google Play store as of July 2020:
- https://play.google[.]com/store/apps/details?id=com.callrecording.recorder
- https://play.google[.]com/store/apps/details?id=ramadan.com.ramadan
- https://play.google[.]com/store/apps/details?id=com.realmusic
- https://play.google[.]com/store/apps/details?id=com.musicupnew
- https://play.google[.]com/store/apps/details?id=com.hdmediaplayer
According to the report, BAHAMUT’s Android Package Kits (APKs) have several modifications, with most having almost no detection in a well-known malware repository. BlackBerry discovered that these APK files were typically made up of legitimate code as well as commonly used Android libraries. This gives their mobile application operations the necessary veneer of legitimacy to fly under the radar.
Other findings
- BAHAMUT employs at least one zero-day developer exhibiting a skill-level above and beyond other APTs
- The wide range of tactics, tools and targets led BlackBerry to conclude BAHAMUT is well-resourced, well-funded and capable of high-level security research
- The group is behind some well-researched exploits with different names, such as EHDEVEL, URPAGE, WINDSHIFT and THE WHITE COMPANY
A powerful beast made real
BAHAMUT may share its name with a mythical fish or dragon, but there is nothing make-believe about this APT. This group focuses its efforts on cyberespionage and phishing, with a focus on mobile applications, and it buttresses its efforts with a very responsive group of operators that have no problem changing their next steps based upon existing data. The group is also renowned for investing a painstaking amount of time and effort into making its operations appear legitimate, above and beyond other attack groups. These differences put BAHAMUT above the rest.
Sources
- BlackBerry Uncovers Massive Hack-For-Hire Group Targeting Governments, Businesses, Human Rights Groups and Influential Individuals. BlackBerry ThreatVector Bog.
- BAHAMUT: Hack-For-Hire Masters of Phishing, Fake News, and Fake Apps. BlackBerry Report.
In this Series
- BlackBerry exposes threat actor group BAHAMUT: Cyberespionage, phishing and other APTs
- Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
- Dependency confusion: Compromising the supply chain
- BendyBear: A shellcode attack used for cyberespionage
- ATP group MontysThree uses MT3 toolset in industrial cyberespionage
- Top 9 cybercrime tactics, techniques and trends in 2020: A recap
- KashmirBlack botnet targets WordPress, Joomla and other popular CMS platforms
- BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group
- Linux security and APTs: Identifying threats and reducing risk
- Top 6 ransomware strains to watch out for in 2020
- 2020 Verizon data breach investigations report: Summary and key findings for security professionals
- How hackers use CAPTCHA to evade automated detection
- The State of Ransomware 2020: Key findings from Sophos & Malwarebytes
- Dark web fraud: How-to guides make cybercrime too easy
- Top 6 malware strains to watch out for in 2020
- Top Cybersecurity Predictions for 2020
- Malware spotlight: What is click fraud?
- What does dark web monitoring really do?
- ThreatMetrix Cybercrime Report: An interview
- Are dark web monitoring services worth it?
- Cybercrime and the underground market [Updated 2019]
- Verizon DBIR 2019 analysis
- Common causes of large breaches (Q1 2019)
- The Magecart Cybercrime Group Is Threatening E-Commerce Websites Worldwide
- Russian Cyberspies Target 2018 U.S. Midterm Elections
- The Increasing Threat of Banking Trojans and Cryptojacking
- Leaders’ Meetings: A Privileged Target for Hackers
- Fraud as a Service (FaaS): Everything You Need to Know
- All about SamSam Ransomware
- The Decline of Ransomware and the Rise of Cryptocurrency Mining Malware
- Mechanics Behind Ransomware-as-a-Service
- The Art of Fileless Malware
- ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS
- Which Are the Most Exploited Flaws by Cybercriminal Organizations?
- 5 New Threats Every Organization Should be Prepared for in 2018
- Memcrashed: The Dangerous Trend Behind the Biggest DDoS Attack Ever
- Open source threat intelligence tools & techniques
- Global Cost of Cybercrime on the Rise
- An Enterprise Guide to Using Threat Intelligence for Cyber Defense
- The Five Largest Ransomware Attacks of 2017
- Intellectual Property Crimes in the Dark Web
- Top 5 Smartest Malware Programs
- Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks?
- Vault 7 Leaks: Inside the CIA's Secret Kingdom (July-August 07)
- DragonFly 2.0: The Alleged Nation-State Actor Hits the Energy Sector Again
- Russian APT Groups Continue Their Stealthy Operations
- Massive Petya Attack: Cybercrime or Information Warfare?
- SAP SECURITY FOR CISO: SAP Attacks and Incidents
- Role of Threat Intelligence in Business World
- WikiLeaks Vault 7 Data Leak: Another Earthquake in the Intelligence Community
- Past and Present Iran-linked Cyber-Espionage Operations
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Threat Intelligence
Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
Threat Intelligence
Threat Intelligence
Threat Intelligence
ATP group MontysThree uses MT3 toolset in industrial cyberespionage