Hack-for-Hire Group BAHAMUT Managed to Build a Fake Online Empire

Cyber Threat

BlackBerry estimates that the hack-for-hire organization BAHAMUT has managed to establish a fake online empire to exploit cyber-espionage practices targeting the Middle East and other regions around the world.

The cyber-espionage organization was briefly detailed in 2017, but its operation covers a much longer period of time, called BAHAMUT, but also watched as EHDEVEL, wind shift, PAGE, and THE WHITE COMPANY.

In fact, several other publications that lack attribution, including a 2016 Kaspersky article on attacks targeting InPage word processor vulnerabilities, seem to have identified the actions of the threat actor.

BlackBerry assesses that BAHAMUT was actually using the InPage zero-day exploit first found by Kaspersky in 2016 and given CVE-2017-12824 but never allocated. We also assess that a Chinese danger group was first formed in 2009 for use in targeting a diaspora group that is seen to be a possible threat to the Chinese Communist Party’s strength, BlackBerry states in a new article.

Via the use of a vast range of false personalities, including social media people, blogs, and software, the threat agent was able to travel under the radar, some of which had original content and were designed to misrepresent reality, but did not immediately reveal a sinister intent.

In fact, what separates this category from related risks is the use of original websites, software, and people across a wide variety of sectors and regions. The false empire implies authority and is capable of distorting the understanding of reality by users.

In addition, the competitor aims to ensure that campaigns, network networks, and phishing techniques are kept apart, that anti-analysis techniques are installed explicitly into backdoors and shellcode is manipulated, and that strategies are modified automatically when revealed. The group is often believed to re-use other groups’ instruments and to imitate their tradecraft, to hinder attribution.

BlackBerry says that BAHAMUT has a varied and lengthy list of goals, including government leaders, politicians, human rights advocates and organizations, human rights NGOs, financial services and telecommunications firms, media and international press based in Egypt, military organizations, aerospace organizations, and academics.

The group focuses predominantly on South Asia (particularly India and Pakistan) and the Middle East (particularly the UAE and Qatar), though victims in China and Northern and Eastern Europe have also been reported. The hackers tend to ignore targets found in the United States.

The targeting of BAHAMUT is around the map, making it impossible to concoct single victimology. BAHAMUT seems to be not only well-funded and well-resourced, but also well-versed in protection analysis and observers also hold cognitive prejudices. Taken together, these elements raise a major obstacle to attribution, states BlackBerry.

It is also suspected that the community has access to at least one zero-day developer and that over a dozen malicious Android and iOS applications run. In a report on Urpage, Trend Micro listed some of these apps earlier.

New apps, all supported by well-designed websites, privacy policy, and terms of service, were also found, thus increasing the sense of credibility. They were able to circumvent the static code protections of Google and five of them were already on Google Play as of July 2020 (they existed exclusively for UAE targets).

For the dissemination of additional software, numerous other websites have been included, including seven of which were distributed in recent campaigns. These included applications for VPN and compass, but also software that catered to the separatist Sikh movement.

A number of changes were made to the APKs we discovered, and most were limited to no detection in a widely used repository of malware. The APK files were mainly made up of entirely valid code and well-known Android libraries that helped hide the underlying behavior from popular methods of static detection, BlackBerry says.

In the Apple App Store, a total of nine malicious iOS apps attributed to BAHAMUT were found, all of which were still available as of August 2020. The programmes had general themes of common appeal: texting, VOIP, prayer, file storage, and applications for password saving.

The threat actor also masters the art of phishing, to a degree superior to other classes, according to BlackBerry, with targeted spear-phishing operations that run anywhere from a few hours to months. In comparison, the competitor has the potential to learn from his errors and is continually enhancing his trade.

As independent security analysts Collin Anderson and Claudi Guarnieri have indicated before, the security company, which claims to have “a solid knowledge of BAHAMUT’s existing infrastructure,” assesses that BAHAMUT is a hack-for-hire group.

For a company that has traditionally distinguished itself by the use of above-average operating protection and highly qualified technological skills, BAHAMUT operators are still individual at the end of the day. Although their errors were few, they also proved disastrous. BlackBerry finds that even the most mature of threat groups are influenced by the idiom “old habits die hard”, “BlackBerry concludes.”

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.