Attack attribution is one of the most difficult aspects of malware research and it's not uncommon for different security companies to attribute attack campaigns to different threat actors only to later discover that they were the work of the same group.
However, a new paper by researchers at Blackberry stands out by exposing an elusive group dubbed Bahamut as responsible for a spider web of carefully constructed and carried out phishing and malware attacks.
The group's hacking activities trace back to at least 2016, involve malware for Windows, macOS, iOS and Android. They have impacted a diverse range of individuals, including government officials, separatists and human rights activists from several countries.
Some of the group's campaigns were documented by many researchers or security companies over the years but they were unattributed or attributed to threat actors using different names.
"Over the years, researchers at several other organisations including Amnesty International, Kaspersky, Trend Micro, Cymmetria, DarkMatter, ESET, Norman, Antiy, Forcepoint, Symantec, Palo Alto, Fortinet, 4Hou, Bitdefender, Cisco Talos, Microsoft, Qianxin, and others gave us a different view of Bahamut, often under different names," the BlackBerry researchers said in their paper. "Many speculated openly about what it was they were analysing and where the group’s distinctive features might lead them."
According to BlackBerry's assessment, Bahamut, which was named by researchers writing for open source intelligence site Bellingcat in 2017, is the same group described in previous research by different companies as EHDEVEL, Windshift, URPAGE and The White Company, as well as the actor responsible for the campaigns described by Kaspersky Lab in 2016 in its research on the InPage zero-day vulnerability, Cisco Talos' research on malicious MDM and the attack against Pakistan research from Qianxin.
What is Bahamut and how does it operate?
Based on the group's varied and carefully segmented attack campaigns that target both high-value individuals and larger groups of people across different regions with different geopolitical interests, the BlackBerry researchers believe it's plausible that Bahamut is a mercenary group that sells its services to different clients. This theory was first proposed in 2017 by researchers writing for Bellingcat.
Hacker-for-hire groups that use APT-style techniques have become a common element of the threat landscape in recent years, challenging the threat models of many businesses. However, Bahamut stands apart even among cyber espionage groups through its attention to detail, operational security and considerable efforts spent to learn the behaviour of their targets.
According to BlackBerry, Bahamut relies heavily on manipulating its victims through a constantly shifting web of fake social media accounts and personas and even fake news websites and applications that don't appear to be malicious in nature and often generate original content. This is meant to exploit the victims' interests and earn their trust.
"First encounters with Bahamut begin innocently," the researchers said. "One might start with a simple direct message on Twitter or LinkedIn from an attractive woman, but with no suspicious link to click. Another might occur when scrolling through Twitter or Facebook in the form of a tech news article.
"Maybe you’d be taking a break at work and checking out a fitness website. Or perhaps you’re a supporter of Sikh rights looking for news about their movement for independence. You’d click, and nothing bad would appear to happen. On the contrary, you’d experience a legitimate, yet fabricated reality."
One example is a technology news website that was at some point focused on mobile device reviews. At some point it was taken over by the group and the tone and nature of the articles changed to include security research and geopolitical themes.
Its list of contributors now includes fake personas whose photos are of real news anchors and reporters working for local US TV stations. The site even has Twitter and Facebook accounts, even though their number of followers is very low.
This highlights the lengths the group is prepared to go and the efforts it's willing to put in to reach its intended targets. While the tech news website appears to generate original content, another site operated in the past by the group called Times of Arab was mirroring legitimate news articles from other websites.
The researchers identified a large number of fake websites tied to the Bahamut that appeared to have no relation to one another and served a variety of interests including exploits sales, fitness, travel, Sikh independence and secession in India.
Some of them were benign, but others were used for phishing purposes. In addition to the websites, a plethora of fake social media accounts promoted or directed people to these websites.
Bahamut's activities have historically focused on the Middle East in countries such as Egypt, Iran, Palestine, Turkey, Tunisia, Saudi Arabia, Qatar and the United Arab Emirates with targets including government officials, diplomats, human rights NGOs and activists, journalists, Islamic scholars and more.
Another nexus of activity was observed in South Asia, with India and Pakistan in particular and a focus on Sikh rights advocates and Islamist groups active in the Kashmir region.
Other campaigns that have been documented in the past and have now been attributed to Bahamut targeted users in China and Europe. The group has also targeted individuals working for companies from the technology, media, aerospace and financial industries.
The group is well versed in the art of phishing and targets victims on their personal email accounts rather than their government or corporate addresses. If their first attempt is unsuccessful, the attackers follow up with a second email that includes personal information about the victim, like their phone number, in an attempt to gain more credibility.
"Throughout our analysis of their phishing behaviour, BlackBerry observed that Bahamut was generally in possession of a great deal of information about their targets prior to phishing them," the researchers said. "This was clearly the result of a concerted and robust reconnaissance operation. BlackBerry strongly suspects that much of the data came as a direct result of the group’s extensive deployment of 'fakes.'
"Remember, the term 'fakes' here should be taken to mean any attacker-controlled websites designed to imitate another website, any attacker owned social media profiles, or any attacker-controlled website designed to disseminate information."
BlackBerry observed Bahamut phishing pages that mimicked various government agency login pages but also most of the public email and messaging services including Gmail, Yahoo, Apple ID, Twitter, Facebook, Telegram, Microsoft Live, Microsoft OneDrive, Sina and ProtonMail.
Victims are taken to the phishing pages through numerous redirects using URL shortening services and the phishing sites are sometimes live only for a few hours, making it hard for security researchers to analyse their campaigns.
The group also carefully monitors any research the security industry releases about its campaigns and immediately shuts down and replaces the exposed infrastructure. They also appear to learn from the mistakes that allowed researchers to track down their websites and servers and avoid them in the future.
Android and iOS malware
A big part of Bahamut's tradecraft involves the creation and use of back-doored Android and iOS applications. The BlackBerry researchers found multiple such applications on the official app stores for both mobile platforms that managed to bypass Google and Apple's reviews and code checks. Most of them were only available in certain countries where the group's intended victims were located.
The applications were all posted from separate developer accounts, had well designed descriptions, screenshots and websites with clearly written privacy policies and terms of service. This suggests a lot of effort and attention to detail went into creating them.
The nature of the applications varied from call recording to music and video playing, fitness tracking, messaging and VOIP, password management or Muslim prayer reminders. The researchers also found applications that were distributed outside the official app stores, but in most cases the applications had legitimate functionality and had been created using well-known libraries to avoid raising suspicion.
On Android, the apps could enumerate files with different file types on the devices and upload them to a server. Some samples also had the ability to enumerate device information, access contacts, access call records, access SMS messages, record phone calls, record audio, record video, download and update the backdoor and track GPS location.
On iOS, the malicious functionality was more limited, but had access to various pieces of data such as access and location information, health data, calendar data, keyboard input, credentials inputted into the application for various accounts, contact information, files located on the device and more.
The password manager application was designed so that the passwords stored by users were encrypted in a way that attackers could decrypt it and was synchronised with a server under their control.
Windows and macOS malware
The Windows and macOS malware associated with Bahamut has been documented in various reports over the years. The group used downloaders and backdoors written in several programming languages but has a preference for Visual Basic 6.
Even though this is considered a simple language from a programming perspective, it has benefits for malware authors since it's one of the hardest to reverse-engineer by malware analysts if the code is compiled natively.
The group also used an encoding method in its malware that takes advantage of floating-point calculations which are performed on the CPU's math co-processor. This requires a deeper understanding of the x87 architecture and is not commonly seen in malware, according to the BlackBerry researchers, which suggests Bahamut's coders are skilled programmers.
The group borrows tools and mimics the techniques of other threat actors and this has probably contributed to its campaigns flying under the radar or being attributed to other threat actors. It has also used at least one zero-day exploit in the past that was likely originally developed by Chinese hackers.
Bahamut's malware includes checks for analysis tools commonly used by researchers and antivirus programs, some of which are only popular in certain regions of the world where its targets are located.
Impressive operational security
The BlackBerry researchers have observed some impressive operational security measures taken by the group that exceed those of other APT groups, including state-sponsored ones. In addition to having the resources and funds to quickly abandon and change infrastructure when exposed, the group compartmentalises its various campaigns.
"We find, for example, that no domains or IP addresses used to control or distribute Windows malware are used for phishing or to administer malware designed for any other operating system," the researchers said. "Similarly, it is rare that any single server is used for more than a single mobile application at any given time."
The group uses more than 50 different hosting providers to ensure operational continuity, which is likely a very time consuming and expensive effort. It's also very meticulous with domain registrations, using different domain registrars and resellers, using different privacy services and not associating many domains with the same email address.
Despite all these efforts, the group has still made mistakes that allowed researchers to trace an impressive number of previously unattributed or misattributed campaigns back to it.
"Operational security will become increasingly important as more and more intelligence functions are outsourced by governments, corporations, and private individuals to groups like Bahamut," the BlackBerry researchers said. "For, while these third parties add a layer of plausible deniability for those who employ them, they also introduce additional weaknesses that are not always immediately obvious."