Researchers at CYFIRMA warn that the Bahamut threat actor is using a malicious Android app to deliver malware.
“The suspected Android malware, known initially as ‘CoverIm’ was delivered to victims via WhatsApp, and was found to be disguised as a dummy chatting application named ‘SafeChat,’” the researchers write. “The user interface of this app successfully deceives users into believing its authenticity, allowing the threat actor to extract all the necessary information, before the victim realizes that the app is a dummy, the malware cleverly exploits unsuspecting Android Libraries to extract and transmit data to a command-and-control server.”
After the app is installed, it will continually ask the user to grant it accessibility permissions.
“Once the user clicks on ‘Allow’...the app takes the user to the accessibility page and asks the victim to enable accessibility for the Safe Chat app,” the researchers write. “Once the accessibility is on, then the malware will capture activity on screen including keystrokes. Until it is enabled, the app will throw a pop-up message again and again.”
While Bahamut was previously believed to be a mercenary group, CYFIRMA believes the threat actor is based in India and works for a single nation-state government.
“In this specific attack, the threat actor conducted targeted spear messaging attacks on WhatsApp Messenger, focusing on individuals in the South Asia region,” the researchers write. “The malicious payload was delivered directly through WhatsApp chat. The attack on the individual served the interest of one nation state government. The nature of this attack, along with previous incidents involving APT Bahamut, possibly indicate that it was carried out to serve the interests of one nation state government. Notably, APT Bahamut has previously targeted Khalistan supporters, advocating for a separate nation, posing an external threat to India. The threat actor has also aimed at military establishments in Pakistan and individuals in Kashmir, all aligning with the interests of one nation state government.”
New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for social engineering attacks.
CYFIRMA has the story.
This 26-page manual is packed with actionable info that you need to prevent infections, and what to do when you are hit with ransomware. You also get a Ransomware Attack Response Checklist and Prevention Checklist. You will learn more about:
