Rewterz Threat Alert – ‘Bahamut’ Threat Group Attacks Targets in the Middle East and South Asia

Severity

High

Analysis Summary

A hack-for-hire cyberespionage group named Bahamut is involved in advanced attacks targeting government officials and organizations with sophisticated credential harvesting attacks and phishing campaigns, new Windows malware samples, zero-day exploits, and other techniques. The group is politically motivated and has a wide range of targets. The group has historically targeted people and entities in South Asia, particularly India and Pakistan, as well as the Middle East, primarily the UAE and Qatar.
Despite its range of targets and attacks, a lack of discernible pattern or unifying motive leads researchers to believe Bahamut is likely acting as hack-for-hire operators. They believe the group has access to one zero-day developer and has leveraged zero-day exploits against multiple targets. Bahamut executed highly disparate targeting across a number of verticals and geographic regions.
While Bahamut’s activity in the Middle East has targeted private businesses and individuals, most of its attacks are aimed at government. In Saudi Arabia it went after seven different ministries and other agencies, with a focus on monetary and financial policy. It also targeted the Emirates, Qatar, Bahrain, and Kuwait, with an emphasis on foreign policy and defense. The firm researching the Bahamut group, called BlackBerry, provided a general list that includes Middle East human rights activists, the Saudi Minister of Energy, Union of Arab Banks, journalists and foreign press in Egypt, Saudi Aramco, and Turkish government officials. While attribution is difficult, BlackBerry believes Bahamut is located close to the regions it’s operating against and targeting people, businesses, government agencies, human rights groups, and political groups in South Asia and the Gulf, as well as in Europe, Africa, and China.

In the Middle East, BlackBerry observed phishing of government agencies, private businesses, and individuals. The majority of the targeting, however, was aimed at government. In Saudi Arabia, that included the targeting of seven different ministries and other agencies, with an added emphasis on monetary and financial policy. BlackBerry observed targeting of other government ministries in the Emirates, Qatar, Bahrain, and Kuwait, this time with an emphasis on foreign policy and defense. BAHAMUT’s targeting in the Middle East also takes a wider, more dragnet approach in the form of mobile phone applications. A more thorough discussion of the fake applications, many of which were available for download in the Emirates. BAHAMUT’s South Asian phishing targets are focused on individuals of greater importance in private industry, in contrast to the heavy government themed phishing in the Gulf.

Impact

• Credential Theft
• Unauthorized Access
• Theft of Sensitive Information

Indicators of Compromise

Domain Name

• m0-rnaiil-siina-chn-reload[.]everification-session-load[.]com
• aspnet[.]dyndns[.]infoassurecom[.]info
• rnail-appld-oath-varfiction[.]everification-session-load[.]com
• yes2khalistan[.]orgyes2khalistanis[.]com
• cocoka[.]infocrawloofle[.]com
• yfoodzone[.]netmyggl[.]ioo-auth[.]netonlinetokenid[.]com
• ghelp[.]cohealthclubfun[.]com
• sikhforjustice[.]orgsimilerwork[.]netstring2me[.]com
• imging[.]siteinlineirnage[.]com
• mail[.]techsprouts[.]com
• leelee[.]dnset[.]com
• uygur[.]51vip[.]bizuygur[.]eicp[.]netuygur[.]xicp[.]netvlprnaiill2-rnaill-slna[.]m0[.]everification-session-load[.]com
• rnaiill2-rnaill-slna-m0[.]everification-session-load[.]com
• kannat[.]ns01[.]uskhalistanlehar[.]com
• uyghuri[.]51vip[.]bizuyghurie[.]51vip[.]bizuygur[.]5166[.]info
• cdn-icloud[.]cocelebsnightmares[.]com
• devicesupport-rnicrosoft[.]com
• mideastleaks[.]com
• opticscold[.]com
• weddnest[.]com
• treemanic[.]com
• regditogo[.]com
• mail-incc[.]com
• accountvalidate[.]com
• oyesterclub[.]info
• i3mode[.]com
• by4mode[.]com
• electrobric[.]com
• tierradom[.]com
• cocahut[.]com
• thegogl[.]com
• prontexim[.]com
• techwach[.]com
• out-look-mail-bh[.]com
• leastinfo[.]com
• passwordsaverr[.]com
• myappie[.]com
• lobertica[.]info
• domforworld[.]com
• musicbandfiles[.]com
• trioganic[.]com
• cyroonline[.]com
• portal549[.]com
• user-privacy[.]com
• logstrick[.]com
• rhc-jo[.]com
• tansyroof[.]com
• setting-secure[.]com
• toysforislam[.]com
• sync-tokens[.]com
• cloud-authorize[.]com
• zhqdgk[.]com
• optusiy[.]com
• me-yahoo[.]com
• service-authorization[.]com
• timesofarab[.]com
• classmunch[.]com
• frexinq[.]com
• mindcraftstore[.]com
• freepunjab2020[.]info
• flux2key[.]com
• airfitgym[.]com
• scan8t[.]com
• mail-validation[.]info
• lizacorner[.]com
• medieczema[.]com
• mail-king[.]com
• poiusavid[.]com
• secure-useraccount[.]com
• signtabo[.]com
• bulletinalerts[.]com
• logon-info-gsupport[.]com
• login-private[.]com
• mailinfo-bh[.]com
• middleeastleaks[.]com
• trailhinder[.]com
• citrusquad[.]com
• myaccount-googie[.]com
• shiaar-e-islam[.]com
• privacylog[.]info
• opticzstore[.]com
• account-googie[.]com
• risalaencryptor[.]com
• gateway-yahoo[.]com
• hypforever[.]com
• ambicluster[.]com
• justsikhthings[.]com
• traxbin[.]com

MD5

• 94da91def54db4c1895eb7ba99eb75a6
• f8ea490deeb13bf515a0a1d33bd5b6bb
• 3ce849b9fdd2ce7fe8b31f49c343deb7
• 6e3dfe5cb86bdd2bfc5cab2daf9eee24
• 2a9a49b3b0b6f55803399aad72c8f6ae
• 5180c980360da8ffaf770258387ff728
• c6e1e1272473ab86e4dfccc7a5335933
• 9bb5e4e4ea632e7e218429e3e136751c
• eec26ee59a6fc0f4b7a2a82b13fe6b05
• 23b6b01d9d04ea827b5dfe13840b3f05
• 3658c97c99adf480bae105b2c68f0081
• 019db1adb064ff0245470d0c1972c515
• 1f4d325aaffb501239d4ecd149fa27be
• 14d056a3dd335ea126e44806a284c60d
• 05c49036da47e7684950dfd9799ab5fe
• cf51420cc1edca47adc8f4d0e2f524bb
• d257f1daa83938999907380d864ecdce
• 4a7e2e2de18721dd73f6f84c8aa280da
• 63c2bc55a032eef24d0746158727e373
• 146335f1c4ffaae9cf3d48e767a1c66b
• 1c1eee5c5be54320077c9c4d80ab0db8
• 4f2f98d7dc0bd884ecf683f5dcd93f57
• 95307752bd12eb171af6c919afcfbb35
• 818491940bbe171f98016e57325d5aa6
• ae8031cb4758b24d3b8c812c916e7c89

SHA-256

• 8986c8d4f5a889943cc7d7e30fd3067b61aaf71898103ce42584c1a9920c00e6
• 1992c9c08fbcaef379cc7990b850fec3382a1674913edcdfd2ba57e0403576e5
• e78eada4651e563d8ef269052d450b0a6c065a0995c55f2b4a5c1f13db31e60c
• f2ceed464a87bdc07c55d88b2385a271584783103928887e15dcbd1236c2048b
• d2f25965abef6abbdd9b7c8477f66d599dac346658fff67a728df66efcc74757
• 65398e0f12248ca71642216ff8606744305c2397c368ff072c243e6410fd42bc
• 5cd92037764fbd8a2dab9577b43e9a007af77859e38b67175fec6b7484efccea
• 20862996f0511f9a3bd1d92c690bb499a6fbb07683889cba2c2d574a34d881da
• 013417bd5465d6362cd43c70015c7a74a1b8979785b842b7cfa543cb85985852
• e2f1fa2da3ad8ec31e16e560eb716c9e83a797bf870ab84ec147489a15894da1
• 54c1330eb733712935f47a125704c11149a1e09601791bce44ccb067bf19d43b
• bb9c03e5e4fb8774b28a56ca519e8a9de0f5704674d91bac6ffb129426b83075
• afbe76f24280919f1cb952c9996bc927e6e485123839ba84bbadc8fb9eb885c3
• 1305e7aea00eadecdc6fe143c0e91f93e9b6d5dc13407375e0e3dab7e5b99072
• 7b3a0273ca92cb17656df4522779b92d43bdbee1980eb4302c949f30dae8d0fa
• c3900ce88a3a4e0f897aae175aabb10a59ed31eccb92c2c353b514e6c136e401
• 6f60dfbd3c3fdffc731969acc1b7a82a545b8ec5baaecd48e7ae8055beb37259
• 43ffd4791798059b29170fe9b6d37cb3a18b1907c2b58a3c804973ca1d656505
• 085de1580421aefe1d581f4b6012a485e2665cee78630b6a0c311ee3bc8409b6
• 0a721dc82ec7eb9c20c44dbcac047879b8d15d54b3a186aaf8079058b10b30c9
• 1be9579507a8b20110b740c65f1b65d920c455ab1c026cadb1a250a267c206be
• 00a5a818af5c88e3a87da7632c8faee1aa52685bd4a306ebdaa4e59a71f2dca8
• 0da7a746881aed3442af5f2568632ecc2c9a20dc40887287791a0911d5943903
• b0c1ae6df1da890afdd746937573727606dc4c74087f99f7f6a5281f20d6bc70
• 83caade5a1d0004d64e874aae9955725f43062896f64f51b29f559c3992828bc
• 7cc8cc9ac7895717e1e82ec02d2787b910eca81e906c0c1da2896fc1c0a34f6e
• 08e65f09e41da3bc211a77ced8af657bde00d7a2b93d77446f29b6c8c3262ccd
• 541cb62c5a9583f82b89c73b47b495be2485b20d95120aab7e3552ce71fc0774
• 74974c182fb9872a4d108109ef84d86333fabe585b604217a72fcd7c84cd4b95
• 5ea2f40cf78a5f595409d5bc714abb09f62f2322a5e486687c43ef7d2b5f436f
• a3b32faeb66cffd6a380b6b0094918a21e44357b85f91029030e956a24bed67f
• 64023272dc7bc0c97123a6b41e3db3af179826e01457709e76e048b1a93185b4
• 859bf55fcf0a25a2f7f6d03e7ba6123d5a31c3e6c1196efae453a74d6fff9d43
• 391fdbe672177aeff9e5413036e59bec6a21d5552f07756478132105dff7da62
• 65194c18571f36e45349d0b57d5b1714d1b2846da38a6f4ab0585371691f7705
• 4d1f32b2707f7171f51aac33ea837ef5015a0365c8edba2f969491c5d414ae51
• 1f0dabd61947b6df8a392b77a0eae33777be3caad13698aecc223b54ab4b859a
• c3fb4e97bdffe2ad617cd42d5ef5e9bed60b9422db3375acd91b043b33b71776
• 1e8cb07ae43aa1aa75b73d43dce6a0ae3fefce8823bd3c3b19f6fdcd9e7c9b37
• 4c37ee05dd6858f52e86676721c65ab4f942d365bb19c75158fd3f227c435895
• 816a272e95f223eaf31e8830e054e0711cb868684c0d0569a52c2abfd0ad28bb
• 89757d680aade313afa6a2c6274c5034e5099fa70b55782e023f0c7db23d5e9f
• e9f816bcbb61d0bd495ea9e920c52825b020bd38dbc4f42c05f955ed34f7207a
• 1f4e21ff4a494ff94ba33fc834ade01815e91d86bb6a9eeaf75fd060c2fbc295
• 31c2454805fa90df13253d0bf20ddaab92c1c13e04b72cf74ad0998b76d4efc6
• 19a3b044449217c86215acdd7e8036d8d2a933a1cb7f02235cb5ce68ab1153a7
• 43eb1ff2f9639c33deb1d1db234f42d19add9cfcb8a5d8c8776a052600368622
• 2af07c7cee0743b9ab84eb5947d0334cb0b1dc874fa562920aafbc4ad95b12fc
• 472ea4929c5e0fb4e29597311ed90a14c57bc67fbf26f81a3aac042aa3dccb55
• 6b2bd1445ba96faa28f901bcc62b7e882af79a9a917e680a7259fbf47a36adf7
• 3e7c61dd4b4dc702f59b16d92fe5a67f4ba5cfdb7d8bb2c4bee888aeca95abcc
• 1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96
• b1cf2b71cb187010c28ccfee8fe17a69808b2bbb327eb9a6fc9fa345a8ebe904
• a4ad41a8e1967987d260c2ca8ae392e6735f1a61ab0304d86454fadd2e992d8a
• 090bc0f5936a12771b7fdf15070ba2169a24108a095e939920498b94ce19596d
• 2ae67404fe5863f92cabc51e842683a2c02eb1f6707fb6ddfddaf847aa1eaca6
• 0d349d085c81fde9febc3b67d615ff35b6823d1742f6039aff4f2b8a68f06bfb
• 4c6f74a274ea7255a178650a656c1d84c6d717043301917ffbf31285059bbd87
• 6f362bc439ce09c7dcb0ac5cce84b81914b9dd1e9969cae8b570ade3af1cea3d
• 617ffcc9acffe218ad546a60311d87e5acfeb288bb997ec5c55586df8d496986
• 7bd7fb80c71fc6d50ce44036a3116c3ae7e1b5800fca45f2876854ed7f5220d4
• 798e858381add55cc83390fc323856cb5da5295f2e82f8e66cbfb943e1e2df2a
• cfd0e2e7fe3fab992a670137d0693a2b76a5ac88283011b4aa8786d439b37c87
• f89005bede88a85ebe90960fca54eff7d69e7fb0fb45944a4eb49ffb65f565f2
• 05a4e1e6542d6b0ba7b6eced12c05e96a341deaf88adb28695365544940da5ed
• a499e274c1bc0b12f2d7b0bdf36ae515af8ba3bbb1d788806ddb7908f239bff9
• 5bebe3986c2dcb5f50ea5d34c564c24ad3bbc132e648f1d009757a0d69c87e52
• 89ceee2b4db522a3d4bc56d847e39fded427ee346b462250307bb34ca44aff0c
• 31cca74bb322ad7833a21209b1418c9837e30983daec30d199a839f46075ee72
• 0caaf92b928446e8705587744951568d96fa68d7bf4a9988ea9e98cf6ffb44f3
• 184446bcb17021c39128369e9fe3d06cd0dde430c7f2e90c945c5a3299ef7b52
• a5933fb101747796a2f3b57db91047fd90867f8d1c3a7cf1d8149f0c83b1467f
• 5cbca642c1cbf4e0bf742c57f50bbd6ef0e45dda860bc5c595668dcec7b6adf6
• 49aaed9dec956d345610cc724c0d1fae52ca319b8635f96bfc49ae0421ccfbaa
• 28e48a58d0f5d5fb8aa7c96c7b47afc7a6b682078797caef53e7d353483f10e8

SHA1

• 381307e3120a0ee6b2769b4fe650c910bb55eb90
• fb4da33a16225035ba41529a28f2e1014473df8b
• 6ccb1198c79995b6b5d09fcf28871ab6294de619
• d41554002d3a9a5f907e2fc9cb35ef6eda654bb1
• 2b8de2bad68ebed65fec6b01be029bd0ffeccbc6
• 0df2576865114ed343b9c6da0f0fa254d7638f3e
• 96c1b565970ffe77187672ea3fb419b3a2b599c3
• 0550dad8d55446e5b5dbae61783cfb7c78ee10d2
• 7110e275089d50e53f2b808ae0d4f6667158ccc3
• 703a68641bb75f078523c73464f58394c2e1ebe7
• d65043c95403b87fccb1a4ec619f6d4f865cf878
• 16046c4d96f45d5f3cf85c96b89fc6de94fcf250
• 381650846d5422837d6e003453b0647376d42d70
• ab3d21567e9e5054cd73104079b56e7097c5973c
• ddaf5e43da0b00884ef957c32d7b16ed692a057a
• 6e5e7ecb929fdc29ba93058bf2f501842ac0f2c0
• 4106d261c1e4ef3997c7e96b28b4a9d7d0f5c57a
• f38d9da83939f5ca9d1891f958aff5ded46e80d5
• 11070a99f5756d944c809389a046de915f08b136
• 7700522cefecbc53f7c7c63b8b1b0e725bc0f9f2
• fa38cfc555d970acc602ddb129b86efbdf0c6944
• 1a604e25342252b81ab31f5a56e2d52fbda84cdf
• bbe70b2f77ef4b1bad6706477eaf8489a90eb8d5
• a51818eccef1725f199bd608a59bffcb5eafea50
• 00d000679baab456953b4302d8b2a1e65241ed12

Source IP

• 31[.]28[.]171[.]133
• 81[.]176[.]239[.]92
• 87[.]120[.]254[.]170
• 85[.]254[.]144[.]31
• 185[.]228[.]232[.]118
• 81[.]177[.]181[.]97
• 185[.]122[.]58[.]133
• 185[.]244[.]150[.]119
• 195[.]123[.]212[.]82
• 87[.]120[.]37[.]208
• 82[.]221[.]100[.]74
• 195[.]123[.]226[.]249
• 217[.]147[.]169[.]162
• 103[.]220[.]47[.]104
• 31[.]210[.]96[.]222
• 31[.]13[.]195[.]168
• 185[.]198[.]57[.]37
• 185[.]5[.]54[.]107
• 185[.]244[.]150[.]102
• 176[.]103[.]63[.]195
• 217[.]29[.]62[.]245
• 45[.]10[.]88[.]114
• 6[.]103[.]62[.]151
• 81[.]177[.]3[.]119
• 194[.]36[.]188[.]88
• 93[.]95[.]100[.]191
• 94[.]156[.]77[.]136
• 68[.]68[.]47[.]153
• 91[.]219[.]238[.]246
• 185[.]20[.]187[.]38
• 202[.]155[.]223[.]183
• 185[.]159[.]128[.]34
• 185[.]66[.]15[.]53
• 63[.]251[.]21[.]135
• 167[.]114[.]194[.]56
• 185[.]228[.]232[.]220
• 217[.]29[.]62[.]120
• 185[.]244[.]150[.]246
• 87[.]120[.]37[.]253
• 194[.]36[.]189[.]106
• 178[.]218[.]213[.]204
• 213[.]252[.]247[.]158
• 1[.]75[.]156[.]163
• 185[.]15[.]208[.]64
• 178[.]150[.]0[.]196
• 95[.]211[.]189[.]56
• 103[.]220[.]47[.]161
• 31[.]210[.]96[.]220
• 164[.]160[.]131[.]174
• 91[.]92[.]109[.]95
• 193[.]203[.]50[.]179
• 87[.]120[.]37[.]167
• 82[.]221[.]100[.]55
• 80[.]79[.]122[.]113
• 31[.]210[.]96[.]213
• 103[.]234[.]220[.]153
• 217[.]147[.]168[.]29
• 178[.]150[.]0[.]247
• 87[.]120[.]37[.]66
• 202[.]155[.]223[.]181
• 185[.]66[.]13[.]44
• 5[.]128[.]148[.]27
• 51[.]77[.]90[.]253
• 45[.]128[.]149[.]74
• 87[.]120[.]37[.]84
• 185[.]161[.]208[.]121
• 176[.]103[.]57[.]217

Remediation

• Block the threat indicators at their respective controls.
• Do not download attachments from untrusted emails.
• Address all 0-day vulnerabilities as soon as they are patched by a vendor.
• Keep all systems and software updated to latest patched versions.