Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign

Authored by: Gage Mele, Tara Gould, Winston Marydasan, and Yury Polozov


Key Findings


Anomali Threat Research discovered cyberthreat actors distributing malicious documents exploiting a vulnerability (CVE-2017-8570) during a multi-stage infection chain to install a Visual Basic (VB) executable on target machines.
This exploitation creates a backdoor that appears to only retrieve an infected machine’s username, possibly indicating reconnaissance activity.
We assess with low confidence, based on limited technical intelligence and targeting consistent with previously observed activity, that the advanced persistent threat (APT) cyberespionage group known as Bahamut may be responsible for this campaign.
Bahamut is a “group for hire” and typically targets entities and individuals in the Middle East and South Asia with spearphishing messages and fake applications as the initial infection vector.

Overview


Based on a discovery in mid-February 2021, Anomali Threat Research assesses with low confidence that the APT cyberespionage group-for-hire Bahamut has been conducting malicious activity against multiple targets since at least June 4, 2020. While researching malicious files, our researchers analyzed a .docx file (List1.docx) that contained a shared bundled component with another .docx file that was communicating via template injection with lobertica.info, a domain previously attributed to Bahamut.[1] Further analysis of this file and the infection chain it follows is provided in subsequent sections below.


The header dates of a template injection domain (lobertica.info/fefus/template.dot) contacted by Screeshot from NACTA Website.docx (including “Screeshot” spelling error) indicated malicious activity dating back to at least June 4, 2020. The title of the document may be a reference to Pakistan’s National Counter Terrorism Authority (NACTA), which would be consistent with Bahamut’s previous targeting and geographical location. The June timeframe also aligns with Pakistan’s virtual meeting with the Financial Action Task Force (Groupe d'Action Financière) held ..

Support the originator by clicking the read the rest link below.