apt attack

Researchers found suspected malicious activities By Bahamut

Based on a finding in mid-February 2021, the researchers assessed with low confidence that the Bahamut APT Group has been conducting malicious activities against multiple targets since June 4, 2020.

Bahamut is an “employment organization” that usually targets entities and individuals in the Middle East and South Asia. The group mainly uses counterfeit websites for credential collection and phishing to deliver malware.

use a vulnerability (CVE-2017-8570) in the multi-stage infection chain to distribute malicious documents to install Visual Basic (VB) executable files on the target computer. Such exploitation creates a backdoor that seems to be only searchable The username of the infected machine, which may be used for reconnaissance activities. Based on limited technical intelligence and based on the targets targeted by the group’s previous operations, the researchers assessed Bahamut to be responsible for this operation with a low degree of confidence.

While studying the malicious file, the researchers analyzed a .docx document (List1.docx), which contains a shared bundled component and another .docx document, which is injected with lobertica.info (the domain used by Bahamut in the past) through template injection. ) To communicate. Researchers checked the header date of the document and found that the malicious activity can be traced back to June 4, 2020. The content in the document title cited the National Anti-Terrorism Agency (NACTA) of Pakistan, which is the same as the target targeted by Bahamut’s previous activities. Consistent with geographic location. The timeline for June is also consistent with Pakistan’s virtual meeting of the Financial Action Task Force (Financière Action) held on June 24, 2020.

The researchers stated that the malicious activity started in June 2020 and continued until mid-February 2021. Three malicious documents were used: List1.docx, List for Approval.docx , and report.doc , and one that appeared to have The subject of the typo: Screeshot from NACTA Website.docx.

bahamut

Bahamut is an advanced APT group that interacts with users through email and social engineering to deliver the initial load. Although it is determined that there are many similarities between the recently discovered malicious activities and the activities attributed to Bahamut in previous reports, due to the lack of sufficient evidence, TTP and indicators, the researchers can only assess with low confidence that Bahamut may be the operation. Behind the scenes.

IOCs

185.183.161.125
185.175.158.227
208.91.197.54
194.120.24.116
93.184.220.29
194.67.93.17


http://lobertica.info
http://lobertica.info/fefus/
http://lobertica.info/fefus/report.doc
http://lobertica.info/fefus/template.dot
http://lobertica.info/msoll/igtxpres.zip
http://zovwelle.com
http://zovwelle.com/opregftyro/ijkbfumnbvc.php
http://memoadvicr.com
http://memoadvicr.com/kodec/report.doc
http://memoadvicr.com/dvsec/report.doc
http://fastfiterzone.com/sdjfbjsgdlfvfd/gfdbvgfgggh.php


EXE
04e05054e9e4f1c6cba9292fcad9e06f
61639f301c4cdadfd6c4a696375bdc99
.docx
68d0e326e18bd7ec50db011f9c119e25
de1f5c8223505f7e8c64a4b852614b14
3df18ecd55f8e267be39f6f757bcd5f0
RTF
9dc1cdba6d5838f7984de89521f18ae8
Scriplet
d3e989f44fe3065ec501fe7f0fc33c3e
Bundled
11eb560d256383859b8135cfbbf98e30