Hack-for-hire group BAHAMUT managed to build a fake online empire to leverage in cyber-espionage operations targeting the Middle East and other regions around the world, BlackBerry reports.
Dubbed BAHAMUT, but also tracked as EHDEVEL, WINDSHIFT, URPAGE, and THE WHITE COMPANY, the cyber-espionage group was initially detailed in 2017, but its activity spans a much longer period of time.
In fact, the threat actor’s activities appear to have been described in several other reports that lack attribution, including a 2016 Kaspersky report on attacks exploiting InPage word processor vulnerabilities.
“BlackBerry assesses that the InPage zero-day exploit first identified by Kaspersky in 2016 and given CVE-2017-12824 but never attributed, was in fact used by BAHAMUT. We also assess that it was first developed by a Chinese threat group in 2009 for use in targeting a group in diaspora perceived to be a potential threat to the power of the Chinese Communist Party,” BlackBerry notes in a new report.
The threat actor was able to fly under the radar through the use of a large number of fake identities, including social media personas, websites, and applications, some of which had original content and were meant to distort reality, but did not immediately show a malicious purpose.
In fact, the use of original websites, applications, and personas across a wide array of industries and regions is what sets this group apart from similar threats. Its fake empire suggests legitimacy and is able to distort consumers’ perception of reality.
Furthermore, the adversary strives to ensure campaigns, network infrastructure, and phishing tools are kept separate, it builds anti-analysis tools directly into backdoors and exploit shellcode, and immediately changes tactics when exposed. The group is also believed to be re-using tools from other groups and to mimic their tradecraft, to hinder attribution.
BAHAMUT, BlackBerry says, has a diverse and long list of targets, including government officials, politicians, human rights activists and organizations, human rights NGOs, financial services and technology companies, Egypt-focused media and foreign press, military organizations, aerospace entities, and scholars.
The group mainly focuses on South Asia (particularly India and Pakistan) and the Middle East (UAE and Qatar in particular), but victims were also identified in China and Northern and Eastern Europe. The hackers appear to be avoiding targets located in the United States.
“BAHAMUT’s targeting is all over the map, which makes it difficult to concoct a single victimology. BAHAMUT appears to be not only well-funded and well-resourced, but also well-versed in security research and the cognitive biases analysts often possess. Taken together, these aspects present a considerable attribution challenge,” BlackBerry notes.
The group is also believed to have access to at least one zero-day developer and to be operating over a dozen malicious apps for Android and iOS. Some of these apps were previously mentioned by Trend Micro in a report on Urpage.
New applications were also identified, all accompanied by well-designed websites, privacy policies, and terms of service, thus increasing the sense of legitimacy. They were able to bypass Google’s static code safeguards and five of them were still in Google Play as of July 2020 (they appeared designed specifically for targets in UAE).
Several other websites were employed for the distribution of additional applications, including seven of which were being distributed in recent campaigns. These included VPN and compass applications, but also apps that catered to the Sikh separatist movement.
“A variety of modifications were made to the APKs we found, and most had limited to no detection in a commonly used malware repository. In most cases the APK files were comprised of completely legitimate code and well-known Android libraries which helped cloak the underlying activity from common static detection methods,” BlackBerry says.
A total of nine malicious iOS applications attributed to BAHAMUT were identified in the Apple App Store, all of which were still available as of August 2020. The apps had generic themes with universal appeal: messaging, VOIP, prayer, file management, and password saver applications.
According to BlackBerry, the threat actor also masters the art of phishing, at a level superior to other groups, with targeted spear-phishing operations lasting anywhere between a few hours to months. Additionally, the adversary has the ability to learn from its mistakes and constantly improves its tradecraft.
The security firm, which claims to have “a solid grasp of BAHAMUT’s existing infrastructure,” assesses that BAHAMUT is a hack-for-hire group, just as independent security researchers Collin Anderson and Claudi Guarnieri suggested before.
“For a group that historically set themselves apart by employing above-average operational security and extremely skilled technical capabilities, BAHAMUT operators are, at the end of the day, still human. While their mistakes have been few, they have also proven devastating. BlackBerry found that the idiom “old habits die hard” applies to even the most advanced of threat groups,” BlackBerry concludes.
Related: Firm's MDM Server Abused to Deliver Android Malware to 75% of Its Devices
Related: Threat Actor Sold Access to Networks of 135 Organizations
Related: New Kaspersky Tool Helps Attribute Malware to Threat Actors