The cyber espionage group often known as Bahamut has been attributed as behind a extremely focused marketing campaign that infects customers of Android units with malicious apps designed to extract delicate info.
The exercise, which has been energetic since January 2022, entails distributing rogue VPN apps by way of a faux SecureVPN web site arrange for this objective, Slovak cybersecurity agency ESET mentioned in a brand new report shared with The Hacker Information.
At the very least eight completely different variants of the adware apps have been found thus far, with them being trojanized variations of respectable VPN apps like SoftVPN and OpenVPN.
The tampered apps and their updates are pushed to customers by way of the fraudulent web site. It is also suspected that the targets are rigorously chosen, since launching the app requires the sufferer to enter an activation key to allow the options.
This suggests the usage of an undetermined distribution vector, though previous proof exhibits that it may take the type of spear-phishing emails, SMS messages, or direct messages on social media apps.
The activation key mechanism can be designed to speak with an actor-controlled server, successfully stopping the malware from being by accident triggered proper after launch on a non-targeted person machine.
Bahamut was unmasked in 2017 by Bellingcat as a hack-for-hire operation focusing on authorities officers, human rights teams, and different high-profile entities in South Asia and the Center East with malicious Android and iOS apps to spy on its victims.
“Maybe essentially the most distinctive facet of Bahamut’s tradecraft that BlackBerry found is the group’s use of authentic, painstakingly crafted web sites, functions and personas,” BlackBerry famous in October 2020.
Earlier this 12 months, Cyble detailed two units of phishing assaults orchestrated by the group to push counterfeit Android apps masquerading as chat functions.
The most recent wave follows the same trajectory, tricking customers into putting in seemingly innocuous VPN apps that may exfiltrate a large swathe of data, together with information, contact lists, SMSes, cellphone name recordings, areas, and messages from WhatsApp, Fb Messenger, Sign, Viber, Telegram, and WeChat.
“The info exfiltration is finished through the keylogging performance of the malware, which misuses accessibility providers,” ESET researcher Lukáš Štefanko mentioned.
In an indication that the marketing campaign is effectively maintained, the menace actor initially packaged the malicious code inside the SoftVPN software, earlier than transferring to OpenVPN, a shift defined by the truth that the precise SoftVPN app stopped functioning and it was not attainable to ascertain a VPN connection.
“The cell marketing campaign operated by the Bahamut APT group continues to be energetic; it makes use of the identical technique of distributing its Android adware apps through web sites that impersonate or masquerade as respectable providers, as has been seen prior to now,” Štefanko added.