[BreachExchange] Elusive hacker-for-hire group Bahamut linked to historical attack campaigns

[Inga Goddijn]

https://www.csoonline.com/article/3585137/elusive-hacker-for-hire-group-bahamut-linked-to-historical-attack-campaigns.html#tk.rss_news

Attack attribution is one of the most difficult aspects of malware
<https://www.csoonline.com/article/3295877/what-is-malware-viruses-worms-trojans-and-beyond.html>
research and it's not uncommon for different security companies to
attribute attack campaigns to different threat actors only to later
discover that they were the work of the same group. Against this backdrop,
a new paper by researchers at Blackberry stands out by exposing an elusive
group dubbed Bahamut as responsible for a spider web of carefully
constructed and carried out phishing
<https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent-it.html>
and malware attacks.

The group's hacking activities trace back to at least 2016 and involve
malware for Windows, macOS, iOS and Android. They have impacted a diverse
range of individuals, including government officials, separatists and human
rights activists from several countries. Some of the group's campaigns were
documented by many researchers or security companies over the years but
they were unattributed or attributed to threat actors using different names.

"Over the years, researchers at several other organizations including
Amnesty International, Kaspersky, Trend Micro, Cymmetria, DarkMatter, ESET,
Norman, Antiy, Forcepoint, Symantec, Palo Alto, Fortinet, 4Hou,
Bitdefender, Cisco Talos, Microsoft, Qianxin, and others gave us a
different view of Bahamut, often under different names," the BlackBerry
researchers said in their paper
<https://www.blackberry.com/us/en/forms/enterprise/bahamut-report>. "Many
speculated openly about what it was they were analyzing and where the
group’s distinctive features might lead them."

According to BlackBerry's assessment, Bahamut, which was named
<https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/>
by researchers writing for open-source intelligence site Bellingcat in
2017, is the same group described in previous research by different
companies as EHDEVEL, Windshift
<https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/>,
URPAGE and The White Company, as well as the actor responsible for the
campaigns described by Kaspersky Lab in 2016 in its research on the InPage
zero-day vulnerability, Cisco Talos' research on malicious MDM
<https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html?__cf_chl_captcha_tk__=cddad34c27f91e0a64a>
and the attack against Pakistan
<https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/>
research from Qianxin.
What is Bahamut and how does it operate?

Based on the group's varied and carefully segmented attack campaigns that
target both high-value individuals and larger groups of people across
different regions with different geopolitical interests, the BlackBerry
researchers believe it's plausible that Bahamut is a mercenary group that
sells its services to different clients. This theory was first proposed in
2017 by researchers writing for Bellingcat
<https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/>
.

Hacker-for-hire groups that use APT-style techniques have become a common
element of the threat landscape in recent years, challenging the threat
models of many businesses
<https://www.csoonline.com/article/3573081/apt-style-mercenary-groups-challenge-the-threat-models-of-many-organizations.html>.
However, Bahamut stands apart even among cyberespionage groups for its
attention to detail, operational security
<https://www.csoonline.com/article/3391566/what-is-opsec-a-process-for-protecting-critical-information.html>
and considerable efforts spent to learn the behavior of their targets.

According to BlackBerry, Bahamut relies heavily on manipulating its victims
through a constantly shifting web of fake social media accounts and
personas and even fake news websites and applications that don't appear to
be malicious and often generate original content. This is meant to exploit
the victims' interests and earn their trust.

"First encounters with Bahamut begin innocently," the researchers said.
"One might start with a simple direct message on Twitter or LinkedIn from
an attractive woman, but with no suspicious link to click. Another might
occur when scrolling through Twitter or Facebook in the form of a tech news
article. Maybe you’d be taking a break at work and checking out a fitness
website. Or perhaps you’re a supporter of Sikh rights looking for news
about their movement for independence. You’d click, and nothing bad would
appear to happen. On the contrary, you’d experience a legitimate, yet
fabricated reality."

One example is a technology news website that was at some point focused on
mobile device reviews. At some point it was taken over by the group and the
tone and nature of the articles changed to include security research and
geopolitical themes. Its list of contributors now includes fake personas
whose photos are of real news anchors and reporters working for local US TV
stations. The site even has Twitter and Facebook accounts, even though
their number of followers is very low.

This highlights the lengths the group is prepared to go and the efforts
it's willing to put in to reach its intended targets. While the tech news
website appears to generate original content, another site operated in the
past by the group called Times of Arab was mirroring legitimate news
articles from other websites.

The researchers identified a large number of fake websites tied to Bahamut
that appeared to have no relation to one another and served a variety of
interests, including exploits sales, fitness, travel, Sikh independence and
secession in India. Some of them were benign, but others were used for
phishing purposes. In addition to the websites, a plethora of fake social
media accounts promoted or directed people to these websites.

Bahamut's activities have historically focused on the Middle East in
countries such as Egypt, Iran, Palestine, Turkey, Tunisia, Saudi Arabia,
Qatar and the United Arab Emirates with targets including government
officials, diplomats, human rights NGOs and activists, journalists, Islamic
scholars and more. Another nexus of activity was observed in South Asia,
with India and Pakistan in particular and a focus on Sikh rights advocates
and Islamist groups active in the Kashmir region. Other campaigns that have
been documented in the past and have now been attributed to Bahamut
targeted users in China and Europe. The group has also targeted individuals
working for companies from the technology, media, aerospace and financial
industries.

The group is well versed in the art of phishing and targets victims on
their personal email accounts rather than their government or corporate
addresses. If their first attempt is unsuccessful, the attackers follow up
with a second email that includes personal information about the victim,
like their phone number, in an attempt to gain more credibility.

"Throughout our analysis of their phishing behavior, BlackBerry observed
that Bahamut was generally in possession of a great deal of information
about their targets prior to phishing them," the researchers said. "This
was clearly the result of a concerted and robust reconnaissance operation.
BlackBerry strongly suspects that much of the data came as a direct result
of the group’s extensive deployment of 'fakes.' Remember, the term 'fakes'
here should be taken to mean any attacker-controlled websites designed to
imitate another website, any attacker owned social media profiles, or any
attacker-controlled website designed to disseminate information."

BlackBerry observed Bahamut phishing pages that mimicked various government
agency login pages but also most of the public email and messaging services
including Gmail, Yahoo, Apple ID, Twitter, Facebook, Telegram, Microsoft
Live, Microsoft OneDrive, Sina and ProtonMail. Victims are taken to the
phishing pages through numerous redirects using URL shortening services and
the phishing sites are sometimes live only for a few hours, making it hard
for security researchers to analyze their campaigns.

The group also carefully monitors any research the security industry
releases about its campaigns and immediately shuts down and replaces the
exposed infrastructure. They also appear to learn from the mistakes that
allowed researchers to track down their websites and servers and avoid them
in the future.
Android and iOS malware

A big part of Bahamut's tradecraft involves the creation and use of
backdoored Android and iOS applications. The BlackBerry researchers found
multiple such applications on the official app stores for both mobile
platforms that managed to bypass Google and Apple's reviews and code
checks. Most of them were only available in certain countries where the
group's intended victims were located.

The applications were all posted from separate developer accounts, had well
designed descriptions, screenshots and websites with clearly written
privacy policies and terms of service. This suggests a lot of effort and
attention to detail went into creating them.

The nature of the applications varied from call recording to music and
video playing, fitness tracking, messaging and VOIP, password management or
Muslim prayer reminders. The researchers also found applications that were
distributed outside the official app stores, but in most cases the
applications had legitimate functionality and had been created using
well-known libraries to avoid raising suspicion.

On Android, the apps could enumerate files with different file types on the
devices and upload them to a server. Some samples also had the ability to
enumerate device information, access contacts, access call records, access
SMS messages, record phone calls, record audio, record video, download and
update the backdoor and track GPS location.

On iOS, the malicious functionality was more limited, but had access to
various pieces of data such as access and location information, health
data, calendar data, keyboard input, credentials inputted into the
application for various accounts, contact information, files located on the
device and more. The password manager application was designed so that the
passwords stored by users were encrypted in a way that attackers could
decrypt it and was synchronized with a server under their control.
Windows and macOS malware

The Windows and macOS malware associated with Bahamut has been documented
in various reports over the years. The group used downloaders and backdoors
written in several programming languages but has a preference for Visual
Basic 6. Even though this is considered a simple language from a
programming perspective, it has benefits for malware authors since it's one
of the hardest to reverse engineer by malware analysts if the code is
compiled natively.

The group also used an encoding method in its malware that takes advantage
of floating-point calculations which are performed on the CPU's math
co-processor. This requires a deeper understanding of the x87 architecture
and is not commonly seen in malware, according to the BlackBerry
researchers, which suggests Bahamut's coders are skilled programmers.

The group borrows tools and mimics the techniques of other threat actors
and this has probably contributed to its campaigns flying under the radar
or being attributed to other threat actors. It has also used at least
one zero-day
exploit
<https://www.csoonline.com/article/3284084/what-is-a-zero-day-a-powerful-but-fragile-weapon.html>
in the past that was likely originally developed by Chinese hackers.

Bahamut's malware includes checks for analysis tools commonly used by
researchers and antivirus programs, some of which are only popular in
certain regions of the world where its targets are located.
Impressive operational security

The BlackBerry researchers have observed some impressive operational
security measures taken by the group that exceed those of other APT
<https://www.csoonline.com/article/2615666/5-signs-youve-been-hit-with-an-apt.html>
groups, including state-sponsored ones. In addition to having the resources
and funds to quickly abandon and change infrastructure when exposed, the
group compartmentalizes its various campaigns.

"We find, for example, that no domains or IP addresses used to control or
distribute Windows malware are used for phishing or to administer malware
designed for any other operating system," the researchers said. "Similarly,
it is rare that any single server is used for more than a single mobile
application at any given time."

The group uses more than 50 different hosting providers to ensure
operational continuity, which is likely a very time consuming and expensive
effort. It's also very meticulous with domain registrations, using
different domain registrars and resellers, using different privacy services
and not associating many domains with the same email address. Despite all
these efforts, the group has still made mistakes that allowed researchers
to trace an impressive number of previously unattributed or misattributed
campaigns back to it.

"Operational security will become increasingly important as more and more
intelligence functions are outsourced by governments, corporations, and
private individuals to groups like Bahamut," the BlackBerry researchers
said. "For, while these third parties add a layer of plausible deniability
for those who employ them, they also introduce additional weaknesses that
are not always immediately obvious."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20201009/ec8d440c/attachment.html>