Researchers on Wednesday reported that Bahamut, an advanced persistent threat (APT) group first discovered in 2017, has been recently involved in phishing campaigns that were delivering malware at targets in the Middle East and South Asia.
In a blog post, Cyble researchers said after about a year of silence, a new variant of Bahamut malware was spotted in the wild this past April, and the threat actors behind the APT group have increasingly shifted focus to target mobile devices.
The researchers said the phishing sites were masked as genuine websites for downloading a messaging application that provides secure communication. They also said the group has invested a great deal of time in developing a well-designed phishing website to attract the victim to download the malware.
Here’s an example of how threat actor groups continue to improve their tradecraft so they can maximize the likelihood of a target becoming successfully infected, said Jason Hicks, executive advisor and field CISO at Coalfire. Hicks said by taking the time to create a reasonably good-looking site to obtain the infected files from, they increase the chances a target will install the software.
“It also shows they are taking the time to analyze their capabilities and then using that information to enhance their malware to collect additional data,” Hicks said. “It’s clear their goal is to acquire sensitive or potentially embarrassing information from their targets.”
Mike Parkin, senior technical engineer at Vulcan Cyber, added that threat actors like Bahamut have continued to evolve their methods and techniques to counter improved defenses. Parkin said they are well past the point where they operate as gangs and have moved into the realm of professionally run criminal enterprises.
“Here, we are seeing a group updating their Android malware and focusing on a specific audience,” Parkin said. “Using a website that rivals that of a professionally developed, legitimate, application should come as no surprise. Creating one is comparatively easy to do, and many users know enough to avoid the amateurish sites often used to spread malware in the past. This does mean we need to continue focusing on user education, and with so much work being done on mobile devices, organizations may need to do more to protect those devices for their employees.”