A cybercrime group dubbed Bluebottle has been linked to a set of focused assaults in opposition to the monetary sector in Francophone nations situated in Africa from at the least July 2022 to September 2022.
“The group makes intensive use of living-off-the-land, twin use instruments, and commodity malware, with no customized malware deployed on this marketing campaign,” Symantec, a division of Broadcom Software program, mentioned in a report shared with The Hacker Information.
The cybersecurity agency mentioned the exercise shares overlaps with a risk cluster tracked by Group-IB beneath the title OPERA1ER, which has carried out dozens of assaults aimed toward banks, monetary companies, and telecom corporations in Africa, Asia, and Latin America between 2018 and 2022.
The attribution stems from similarities within the toolset used, the assault infrastructure, the absence of bespoke malware, and the focusing on of French-speaking nations in Africa. Three completely different unnamed monetary establishments in three African nations have been breached, though it is not identified whether or not Bluebottle efficiently monetized the assaults.
The financially motivated adversary, additionally identified by the title DESKTOP-GROUP, has been accountable for a string of heists totaling $11 million, with precise damages touching $30 million.
The latest assaults illustrate the group’s evolving techniques, together with using an off-the-shelf malware named GuLoader within the early phases of the an infection chain in addition to weaponizing kernel drivers to disable safety defenses.
Symantec mentioned it could not hint the preliminary intrusion vector, though it detected job-themed information on the sufferer networks, indicating that hiring associated phishing lures have been seemingly put to make use of to trick the targets into opening malicious e mail attachments.
What’s extra, an assault detected in mid-Could 2022 concerned the supply of an info stealer malware within the type of a ZIP file containing an executable display screen saver (.SCR) file. Additionally noticed in July 2022 was using an optical disc picture (.ISO) file, which has been utilized by many a risk actor as a way of distributing malware.
“If the Bluebottle and OPERA1ER actors are certainly one and the identical, this might imply that they swapped out their an infection methods between Could and July 2022,” the researchers famous.
The spear-phishing attachments result in the deployment of GuLoader, which subsequently acts as a conduit to drop further payloads on the machine, similar to Netwire, Quasar RAT, and Cobalt Strike Beacon. Lateral motion is facilitated by means of instruments like PsExec and SharpHound.
One other method adopted by the group is using signed drivers to terminate safety software program, a technique that has been utilized by a number of hacking crews for related functions, in response to findings from Mandiant, SentinelOne, and Sophos final month.
With the risk actors suspected to be French-speaking, it is seemingly that the assaults may increase to different French-speaking nations internationally, the corporate cautioned.
“The effectiveness of its campaigns signifies that Bluebottle is unlikely to cease this exercise,” the researchers mentioned. “It seems to be very centered on Francophone nations in Africa, so monetary establishments in these nations ought to stay on excessive alert.”
