A cybercrime team dubbed Bluebottle has been joined to a set of focused attacks from the monetary sector in Francophone international locations located in Africa from at least July 2022 to September 2022.
“The team tends to make comprehensive use of residing-off-the-land, twin use instruments, and commodity malware, with no customized malware deployed in this campaign,” Symantec, a division of Broadcom Program, mentioned in a report shared with The Hacker News.
The cybersecurity organization stated the activity shares overlaps with a risk cluster tracked by Group-IB under the identify OPERA1ER, which has carried out dozens of attacks aimed at banks, financial companies, and telecom businesses in Africa, Asia, and Latin America concerning 2018 and 2022.
The attribution stems from similarities in the toolset employed, the attack infrastructure, the absence of bespoke malware, and the targeting of French-talking nations in Africa. 3 unique unnamed economic establishments in 3 African nations had been breached, even though it is really not identified no matter if Bluebottle successfully monetized the attacks.
The fiscally inspired adversary, also known by the identify DESKTOP-Group, has been accountable for a string of heists totaling $11 million, with real damages touching $30 million.
The the latest attacks illustrate the group’s evolving methods, like employing an off-the-shelf malware named GuLoader in the early stages of the infection chain as properly as weaponizing kernel motorists to disable security defenses.
Symantec mentioned it couldn’t trace the first intrusion vector, even though it detected task-themed documents on the sufferer networks, indicating that employing associated phishing lures had been very likely place to use to trick the targets into opening malicious email attachments.
What’s a lot more, an attack detected in mid-Might 2022 included the delivery of an information stealer malware in the type of a ZIP file containing an executable display screen saver (.SCR) file. Also observed in July 2022 was the use of an optical disc picture (.ISO) file, which has been used by lots of a danger actor as a indicates of distributing malware.
“If the Bluebottle and OPERA1ER actors are in truth 1 and the same, this would signify that they swapped out their infection tactics amongst May and July 2022,” the researchers pointed out.
The spear-phishing attachments direct to the deployment of GuLoader, which subsequently acts as a conduit to drop further payloads on the machine, these kinds of as Netwire, Quasar RAT, and Cobalt Strike Beacon. Lateral movement is facilitated via instruments like PsExec and SharpHound.
A different procedure adopted by the team is the use of signed motorists to terminate security software package, a approach that has been used by various hacking crews for identical reasons, according to results from Mandiant, SentinelOne, and Sophos previous month.
With the risk actors suspected to be French-talking, it’s likely that the attacks could broaden to other French-speaking nations across the world, the business cautioned.
“The usefulness of its campaigns indicates that Bluebottle is unlikely to stop this exercise,” the researchers claimed. “It seems to be quite centered on Francophone nations in Africa, so money establishments in these nations around the world really should keep on being on substantial notify.”
Located this posting attention-grabbing? Adhere to us on Twitter and LinkedIn to go through far more exclusive material we submit.
Some areas of this article are sourced from: