Bahamut Group

Cybercriminals have unleashed a treacherous Android app named ‘SafeChat,’ enabling them to inject devices with spyware capable of siphoning call history, text messages, and GPS locations from smartphones. Experts believe this malicious Android spyware by Bahamut Group is a variant of “Coverlm,” notorious for pilfering data from various communication apps, including Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.

Unveiling the Puppeteers behind the Malware: The Bahamut Group

Researchers from CYFIRMA have identified the ‘Bahamut’ group, an Indian APT (Advanced Persistent Threat) hacking outfit, as the orchestrators of this sinister campaign. The group’s primary modus operandi involves spear-phishing attacks on WhatsApp, dispatching the harmful payloads directly to the unsuspecting victim.

CYFIRMA’s team has also uncovered similarities in tactics, techniques, and procedures (TTP) with another Indian state-sponsored threat group, ‘DoNot APT’ (APT-C-35), infamous for littering Google Play with counterfeit chat apps camouflaged as spyware.

BahamutGroup History of Misdeeds and Its Latest Maneuvers

Last year, the Bahamut group made headlines for deploying counterfeit VPN apps for Android, replete with extensive spyware functions. In CYFIRMA’s most recent observation, Bahamut has set its sights on individuals across South Asia.

Delving into ‘Safe Chat’ Details

CYFIRMA has not provided specific information on the social engineering component of the attack. However, a common approach is to convince victims to install a chat app under the guise of moving the conversation to a safer platform.

Safe Chat artfully mimics a legitimate chat app. It guides the victim through a seemingly authentic user registration process that provides a convincing front for the embedded spyware. A crucial part of the infection process involves the app seeking permissions to use the Accessibility Services, which it then exploits to gain additional access rights.

These escalated permissions enable the spyware to tap into the victim’s contact list, SMS, call history, external device storage. It accurately pinpoint GPS location data from the compromised device.

Data Exfiltration and the Evidence Linking Bahamut Group to State-Sponsored Activity

The spyware features a specialized data exfiltration module. It transmits the stolen information to the attackers’ Command and Control (C2) server via port 2053. To prevent network data interception efforts, the cybercriminals use a “letsencrypt” certificate. It then encrypt the stolen data using a separate module that supports RSA, ECB, and OAEPPadding.

In their final report, CYFIRMA researchers conclude that there is compelling evidence linking Bahamut to state government in India. Further, the shared use of the same certificate authority with the DoNot APT group. It is similar data theft strategies, common targeting patterns, and exploiting Android apps. This is for infection suggest a degree of cooperation or overlap between the two groups.

Despite these findings, given the indiscriminate and opportunistic spread of these backdoors. Any system equipped with a USB port remains a potential target.