A threat actor involved in cyber espionage operations since 2017 lures victims with fake VPN software for Android, a trojanized version of legitimate software SoftVPN and OpenVPN.
Investigators say the campaign was “highly targeted” and focused on stealing contact and call information, device location and messages from multiple apps.
Mimicking VPN service
The operation has been attributed to an advanced threat actor tracked as Bahamut, believed to be a mercenary group providing hack-for-hire services.
ESET malware analyst Lukas Stefanko says Bahamut has repackaged the SoftVPN and OpenVPN apps for Android to add malicious code with spying features.
By doing so, the actor ensured that the app would still provide VPN functionality to the victim, while exfiltrating sensitive information from the mobile device.
To hide their operation and for credibility purposes, Bahamut used the name SecureVPN (which is a legitimate VPN service) and created a fake website [thesecurevpn] to distribute their malicious app.
Stefanko says the hackers’ rogue VPN app can steal contacts, call logs, location data and SMS, spy on chats in messaging apps such as Signal, Viber, WhatsApp, Telegram and Messenger from Facebook, and collect a list of files that are available are in external storage.
ESET’s researcher discovered eight versions of Bahamut’s spy VPN app, all with chronological version numbers, indicating active development.
All of the fake apps contain code only seen in operations attributed to Bahamut in the past, such as the SecureChat campaign documented by cybersecurity firms Cyble and CoreSec360 [1, 2].
It’s worth noting that none of the trojanized VPN versions were available from Google Play, the official repository of Android resources, another indication of the targeted nature of the operation.
The method for the first distribution vector is unknown, but it could be anything from phishing via email, social media or other communication channels.
Details about Bahamut operations emerged in the public eye in 2017 when journalists from the investigative group Bellingcat published an article about the spy actor targeting Middle Eastern human rights activists.
Connecting Bahamut with other threat actors is a challenge, given that the group relies heavily on publicly available tools, constantly shifts tactics, and targets are not located in a particular region.
However, BlackBerry researchers note in a comprehensive report on Bahamut in 2020 that the group “appears not only to be well-funded and resourced, but also well-versed in security research and the cognitive biases often held by analysts.”
Some threat actor groups that Bahamut has been associated with include Windshift and Urpage.