BAHAMUT – The Smarter Threat Actor on a Mission

Phishing scam cases continue to increase and are reported frequently. Many organisations and individuals continue to fall victim to such scams despite numerous efforts taken by their organisations in educating them on the dangers of phishing. Opportunistic cybercriminals have also been using the COVID-19 pandemic to conduct malicious cyber activities, creating a bigger headache for most companies. With the increasing reliance on the Internet during this period, good cyber hygiene is a necessity.

According to a research report by BlackBerry, the cyberespionage threat group BAHAMUT - the world’s largest hack-for-hire operation, have increased their attacks. The group targets governments, corporations and human rights groups through highly targeted phishing campaigns and created a vast ‘fake news’ network designed to discredit certain causes.

The report, BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps, provides new insights into the group and shows how it deployed a vast array of sophisticated disinformation campaigns. BlackBerry’s Research & Intelligence Team found that BAHAMUT currently presides over a significant number of fake news entities – ranging from fraudulent social media personas to the development of entire news websites built to include disinformation – to both further certain causes and to gain information on high-value targets.

Interestingly, while there are many threat actors, what differentiates BAHAMUT is the level of sophistication at which they operate. Eric Cornelius, Chief Product Architect, BlackBerry pointed out that the malicious applications attributable to BAHAMUT were accompanied by impressively well-designed websites, well-defined privacy policies and even clearly written terms of services – details that are often overlooked by threat actors. At the time of the report’s publication, over a dozen malicious applications were still active.

Before carrying out phishing attempts, BAHAMUT patiently conducts significant reconnaissance on their targets’ interests and click-habits, particularly when mounting tailored attacks on the personal accounts of high-level executives and government officials. This approach has been identified in the group’s use of zero-day exploits across an array of targets, reflecting a skill-level well beyond most other known threat actor groups.

“We have also assessed BAHAMUT’s phishing and credential harvesting tradecraft to be significantly better than the majority of other publicly known APT groups. This is principally due to the group’s speed, their dedication to single-use and highly compartmentalised infrastructure, along with their ability to adapt and change, particularly when their phishing tools are exposed”, said Eric.

To continuously evade detection, BAHAMUT often builds anti-analysis features directly into backdoors as well as exploit shellcode (e.g. simultaneous evasion of multiple AV software). When exposed, the group changes tactics immediately and learns from its mistakes, even when those tactics are not explicitly called out by research groups.

Eric added that BAHAMUT appears to be not only well-funded and well-resourced but also well-versed in cyber threat research and the cognitive biases analysts often possess. Taken together, these aspects present a considerable attribution challenge. As hackers-for-hire, BAHAMUT’s elusive nature and complex operations present a threat from the national security level down to the individual.

Targeting Victims
BAHAMUT has been found to target victims from all over the map, making it difficult to concoct a single victimology. Attacks were tailored per individual target and preferred operating system and communication medium(s). BAHAMUT’s tradecraft is exceptional wherein they have carefully planned out each step with a sound understanding of their capabilities and their targets.

“For instance, our analysis of BAHAMUT’s malicious Android apps surfaced a variety of modifications made to the APKs. Most of them had limited-to-no-detection in a commonly used malware repository. In most cases, the APK files were comprised of completely legitimate code and well-known Android libraries which helped cloak the underlying activity from common static detection methods. BAHAMUT’s malicious iOS apps encrypted any sensitive strings in the binary, including network call-back information and any information that could have tipped off Apple as to the applications’ true intent”, said Eric.

Eric explained that all the backdoors possessed the ability to upload a file to a remote server. This effectively allowed the group to remotely identify and upload any potential file of interest on the compromised devices. Functionality to enumerate device information, access contacts, access call records, access SMS messages, record phone calls, record audio, record video, download and update the backdoor and track GPS location was also observed amongst the samples.

In terms of BAHAMUT’S Windows malware deployed, Eric said, “we identified a simple downloader which checked the site for additional payloads to retrieve and execute. BAHAMUT then deployed backdoors and file harvesting tools that communicated with or were delivered from the group’s domains. The encoding method employed in them was slightly different but could be readily decoded. Slightly more than a dozen of those used a protocol similar to previous BAHAMUT samples and directly communicated to BAHAMUT-controlled domains, many of which contained various randomly named web paths and PHP pages”.

At the same time, the pandemic has forced many organisations to rapidly develop and deploy technologies to help maintain business continuity. While these solutions are often functional, some may not be secure enough for the long-term. Threat actors like BAHAMUT may capitalise on such vulnerabilities, although we haven’t attributed any specific recent activity to the group at this point.

“To mitigate such disruptions to organisations, we’d advise using modern productivity tools that provide not only a great user experience but also next-generation AI-driven security. After all, mobile employees will need secure access to the data and applications required to do their work remotely”, said Eric.

Dealing With Threats
As such, businesses need to be able to take the right steps in protecting their valuable assets. For Eric, he believes that operational security will become increasingly important as more and more intelligence functions are outsourced by governments, corporations and private individuals to mercenary groups like BAHAMUT. As phishing emails continue to increase, the first thing an organisation can do is teach its staff how to look out for signs of malicious activity and how to react if they are suspicious. Applying zero-trust to your inbox is critical.

Also, AI-based cybersecurity solutions can address the challenge by identifying and stopping threats before they can execute. Security solutions that leverage machine-learning can render malware, ransomware and zero-day attacks ineffective at machine speed.

“In addition to offering our customers assistance in securing their remote working programs, at no cost, we’re also focused on continuous innovation in enterprise security”.

For instance, BlackBerry Spark Suites offers the broadest set of security capabilities and visibility covering users, devices, network, apps and data, as well as data management and data privacy. It harnesses the combined power of components from Unified Endpoint Security (UES) and Unified Endpoint Management (UEM) to work seamlessly together to provide the highest level of security and management with a simpler, more productive user experience on any endpoint, from any location, over any network. The UES platform comprises of four complementary technologies (endpoint protection, endpoint detection and response, mobile threat defence and continuous authentication).
“With the integration of Cylance technologies into BlackBerry’s portfolio, we are leveraging Artificial Intelligence, machine-learning and automation to provide mission-critical cyber threat prevention and remediation, coupled with complete visibility across desktop, mobile, server and other IoT (including automotive) endpoints”, concluded Eric.

You might also like
Most comment
share us your thought

0 Comment Log in or register to post comments