The Bahamut APT group has been focusing on Android customers by means of a pretend SecureVPN web site since at the least January 2022.
In keeping with a brand new advisory from Eset, the app used as a part of this malicious marketing campaign was a trojanized model of both of two reliable VPN apps, SoftVPN or OpenVPN. In each situations, the apps have been repackaged with Bahamut spy ware code.
“We have been capable of establish at the least eight variations of those maliciously patched apps with code modifications and updates being made accessible by means of the distribution web site, which could imply that the marketing campaign is effectively maintained,” Eset wrote.
The safety researchers defined that the first goal of the app modifications was to exfiltrate delicate consumer knowledge and spy on victims’ messaging apps.
Specifically, the pretend SecureVPN Android apps might extract delicate knowledge corresponding to SMS messages, contacts, name logs, gadget location and recorded cellphone calls.
In addition they enabled the spying of chat messages on a number of messaging apps, together with WhatsApp, Sign, Viber, Telegram and Fb Messenger.
Information exfiltration is carried out by way of the keylogging performance of the malware, which depends on Android’s accessibility companies. Eset instructed that the marketing campaign seems extremely focused, as the corporate didn’t discover any situations of their telemetry knowledge.
“We imagine that targets are fastidiously chosen since as soon as the Bahamut spy ware is launched, it requests an activation key earlier than the VPN and spy ware performance may be enabled. Each the activation key and web site hyperlink are probably despatched to focused customers,” reads the technical write-up.
Regardless of this, the advisory highlights that the Bahamut APT group, energetic since at the least 2017, sometimes targets corporations and people within the Center East and South Asia.
“Bahamut focuses on cyberespionage, and we imagine its objective is to steal delicate info from its victims,” Eset wrote. “Bahamut can also be known as a mercenary group providing hack-for-hire companies to a variety of purchasers.”
The corporate’s advisory comes weeks after safety researchers at Zimperium found a brand new Android spy ware household dubbed ‘RatMilad’ making an attempt to contaminate an enterprise gadget within the Center East.
