Bahamut Threat Group Targeting Users Through Phishing Campaign

During Cyble’s routine threat hunting exercise, we came across a Twitter post mentioning a phishing campaign involving a Threat Actor (TA) hosting malicious Android APK files on a counterfeit version of Jamaat websites.

The phishing websites used by the TA are as follows:

• jamaat-ul-islam[.]com
• jamatapplication[.]com
• jamaatforummah[.]com
• jamaatforallah[.]com

The figure below shows the phishing page.

As per Cyble’s research, this campaign is identical to the Bahamut group. Therefore, it is likely that the Bahamut group is operating under this alias. Bahamut is a threat group targeting the Middle East and South Asia and its attack vectors are phishing campaigns and malware. First noticed in 2017, Bahamut has targeted many individuals and entities.

Our research team has downloaded the samples and conducted a thorough analysis. Based on this, the Cyble Research Lab concluded that the malware is a variant of spyware and uploads the data to a Command & Control (C&C) server. We also observed that the malicious app disguises itself as the Jamaat chat app and the Muslim Youth app.

Technical Analysis

APK Metadata Information

• App Name: JamaatChat
• Package Name: com.example.jamaat
• SHA256 Hash: 9d4e5d46ab3e2bb4b38256960b88ddc7e266d1959fa75d676a0cac5e811ad325

Our initial analysis observed that the TA had hosted the file with different names for the same sample.

The Bahamut malware requests the user for 21 different permissions, of which 14 are dangerous. The dangerous permissions are listed below.

Permission Name	Description
android.permission.READ_CONTACTS	Access to phone contacts
android.permission.READ_EXTERNAL_STORAGE	Access device external storage
android.permission.WRITE_EXTERNAL_STORAGE	Modify device external storage
android.permission.READ_PHONE_STATE	Access phone state and information
android.permission.RECORD_AUDIO	Allows to record audio using device microphone
android.permission.ACCESS_COARSE_LOCATION	Fetch device location using a mobile network
android.permission.ACCESS_FINE_LOCATION	Fetch device location using GPS sensor
android.permission.ACCESS_BACKGROUND_LOCATION	Access location information in background
android.permission.CALL_PHONE	Perform call without user intervention
android.permission.CAMERA	Access device camera hardware
android.permission.READ_CALL_LOG	Access user’s call logs
android.permission.READ_SMS	Access user’s SMSs stored in the device
android.permission.RECEIVE_SMS	Fetch and process SMS messages
android.permission.WRITE_SETTINGS	Modify device’s system settings

When the user enables these permissions, the malicious app will collect information such as Contacts, SMSs, Call Logs, Audio, etc.

The below figure shows that the app requests permission at the start.

The Bahamut malware requests the user for Contacts and SMS permissions upon starting the application, among others. Once the victim enables these permissions, the malware initiates background services to collect information. The below figure depicts the code to start background services for collecting data.

The Bahamut malware creates a copy of the device’s contacts, SMS, call logs to the local database, named as tabs_database, in the initial stage. The below figure shows table details of the database.

Spyware Activity

1. Contacts: The spyware extracts all the contacts stored on the device and stores them on a database table user_contacts. The below figure shows the code to collect contacts and store the data in a database table.

• SMSs: As the below figure shows, the malware collects SMSs and stores it in a database table named user_sms.

• Call Logs: As the below figure shows, the Bahamut malware extracts call log data and stores the data on a database table call_logs.

• Files List: A list of files from device storage is classified as documents, audio, video, images and stored in a database table named as user_files
• Location: Collects device location information
• Device Hardware details: Collectsinformation such as IMEI number, IP address, device ID, and phone model.  

The below figure depicts the code to collect device information and location.

The malware creates listeners for users and device events, such as:

1. DEVICE BOOT UP
2. SMS RECEIVED
3. CALL RECEIVED
4. WIFI STATE CHANGE
5. User event/New contact added

The below figure shows the code related to the listener created for CALL RECEIVED event.

The Bahamut malware will upload the collected data whenever the afore-mentioned events are triggered on the victim device. The TA has also created a scheduler to upload data which will execute every 4 hours (14400000 milliseconds). The below code shows the listener for the BOOT-UP event which creates a scheduler that executes every 4 hours.

 As the below code shows, initializeSocket() is the function that uploads all the data to the C&C server.

For all communication with the C&C server, the fake app uses a framework called Socket.IO, a real-time, bidirectional communication library. In addition, Bahamut malware uses HTTPS protocol to communicate with the C&C server.

C&C server URL: hxxps://h94xnghlldx6a862moj3[.]de

The below figure shows the C&C server IP, which is stored in the application code.

The application also contains code to emulate a chat application by using the WebView functionality in Android.

Conclusion

According to our research, Bahamut frequently uses phishing pages as an attack vector to deliver malware. In this scenario, the group is targeting users trying to access Jamaat domains with Android Spyware.

To protect yourself from these infections, the user should prefer to install applications from the official Google Play Store. Also, be aware of the threat groups and their attack vectors and take measures accordingly.

Our Recommendations 

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

1. If you find this malware in your device, uninstall it immediately. 
2. Use the shared IoCs to monitor and block the malware infection. 
3. Keep your anti-virus software updated to detect and remove malicious software. 
4. Keep your system and applications updated to the latest versions. 
5. Use strong passwords and enable two-factor authentication. 
6. Download and install software only from registered app stores. 

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Defense Evasion	T1406 T1418	1. Obfuscated Files or Information 2. Application Discovery
Credential Access	T1412 T1517	1. Capture SMS Messages 2. Access Notifications
Discovery	T1421 T1422 T1430 T1426 T1424	1. System Network Connections Discovery 2. System Network Configuration Discovery 3. Location Tracking 4. System Information Discovery 5. Process Discovery
Collection	T1432 T1433 T1429 T1507 T1517	1. Access Contact List 2. Access Call Log 3. Capture Audio 4. Network Information Discovery 5. Access Notifications
Command and Control	T1436	Commonly Used Port

Indicators of Compromise (IoCs): 

Indicators	Indicator type	Description
9d4e5d46ab3e2bb4b38256960b88ddc7e266d1959fa75d676a0cac5e811ad325	SHA256	Hash of the sample1
c5aa8327dfbca613e487d4075162f667e9ed967ad5d63427f79cb55ec79988b8	SHA256	Hash of the sample2
4899519c3b0c8ba3c811e88e3f825d84833d05a6d82d64d9bc7e679ecdd36431	SHA256	Hash of the sample3
7987841d022c799eeb0dbdc9bb656d88720b874353d42d709aa613705dd03597	SHA256	Hash of the sample5
hxxps://h94xnghlldx6a862moj3[.]de	URL	C&C Server URL

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.