An elusive hacker-for-hire group is believed to be behind several cyber espionage campaigns that targeted business leaders, government officials, and activists in the Middle East and other countries across the world using unknown flaws in software, malicious applications and disinformation campaigns, according to a lengthy report from Blackberry.
Dubbed Bahamut, but also tracked as EHDEVEL, WINDSHIFT, URPAGE, and THE WHITE COMPANY by other cybersecurity firms, the group has been observed conducting advanced attacks, including credential harvesting attacks and phishing campaigns, using Windows malware samples, zero-day exploits, and other techniques. The researchers say that Bahamut has access to at least one zero-day developer and leverages “zero-day exploits across an array of targets in expertly tailored fashion, reflecting a skill-level well beyond most other known threat actor groups.”
“BlackBerry assesses that the InPage zero-day exploit first identified by Kaspersky in 2016 and given CVE-2017-12824 but never attributed, was in fact used by BAHAMUT. We also assess that it was first developed by a Chinese threat group in 2009 for use in targeting a group in diaspora perceived to be a potential threat to the power of the Chinese Communist Party,” the researchers noted.
Blackberry believes that the Bahamut group is the threat actor behind more than a dozen of malicious apps that made their way to both the Google Play Store and the App Store.
“The applications were complete with well-designed websites, privacy policies and written terms of service – often overlooked by threat actors – which helped them bypass safeguards put in place by both Google and Apple,” the report continues.
The discovered apps worked as backdoors designed for cyber espionage. All of them were capable of enumerating filetypes on the devices and uploading any potential file of interest. They also had the ability to enumerate device information, access contacts, access call records, access SMS messages, record phone calls, record audio, record video, download and update the backdoor, and track GPS location.
Furthermore, the cyber espionage group has created a “fake empire” of carefully crafted websites, applications, and personas across a wide array of industries and regions. It also operates additional websites that host malware or exploits, or act as phishing servers, or are a part of command and control infrastructure for Bahamut’s backdoors.
“Defining BAHAMUT is especially difficult in light of the fact that the group is suspected of re-using other groups’ tools and imitating their tradecraft. BAHAMUT also heavily leverages publicly available tools that further obscure attribution. The group takes great pains to keep its campaigns, network infrastructure, and phishing tools separate from one another. Anti-analysis features are often built directly into backdoors as well as exploit shellcode. When exposed, the group changes tactics immediately and learns from its mistakes, even when those tactics aren’t explicitly called out in research. BAHAMUT’s targeting is all over the map, which makes it difficult to concoct a single victimology,” the researchers said.
“BAHAMUT appears to be not only well-funded and well-resourced, but also well-versed in security research and the cognitive biases analysts often possess. Taken together, these aspects present a considerable attribution challenge,” they added.