A cybercriminal group called Bluebottle was involved in a series of targeted attacks against the financial sector of French-speaking African countries from at least July 2022 to September 2022.
Symantec, a division of Broadcom Software, said, “This group makes extensive use of self-sufficient dual-use tools and commodity malware and did not deploy custom malware in this campaign.” Said In a report shared with The Hacker News.
The cybersecurity firm said this activity sharing overlapped with a threat cluster tracked by Group-IB under the name OPERA1ER. OPERA1ER carried out dozens of attacks against banks, financial services, and telecommunications companies in Africa, Asia, and Latin America between 2018 and 2018. 2022.
This attribution is due to the similarities in the toolsets used, the attack infrastructure, the lack of bespoke malware, and the targeting of French-speaking African countries. It’s unclear if Bluebottle successfully monetized the attack, but his three unnamed financial institutions in three African countries were compromised.
The financial adversary, also known as DESKTOP-GROUP, has been involved in a series of robberies totaling $11 million, with actual losses reaching $30 million.
Recent attacks demonstrate the group’s evolving tactics, including using commercial malware named GuLoader early in the infection chain and weaponizing kernel drivers to defeat security defenses.
Symantec said it detected work-themed files on the victim’s network, but was unable to trace the initial intrusion vector.
Additionally, an attack detected in mid-May 2022 delivered information-stealing malware in the form of a ZIP file containing an executable screen saver (.SCR) file. In July 2022, the use of optical disc image (.ISO) files was also confirmed. This file is used by many attackers as a means of distributing malware.
“If the Bluebottle and OPERA1ER actors are exactly the same, this means they exchanged infection techniques between May and July 2022,” said the researchers.
Spear-phishing attachments lead to the deployment of GuLoader. GuLoader then acts as a conduit to drop additional payloads such as Netwire, Quasar RAT and Cobalt Strike Beacon onto the machine. Lateral movement is facilitated by tools such as PsExec and SharpHound.
Another technique adopted by this group is the use of signed drivers to terminate security software. According to his Mandiant, SentinelOne, and Sophos findings last month, the method is being used by multiple hacking crews for similar purposes.
The threat actor is suspected to speak French, so the attack could spread to other French-speaking countries around the world, the company warned.
“The effectiveness of that campaign means Bluebottle is unlikely to stop this activity,” said the researchers. “It appears to be very focused on French-speaking countries in Africa, so financial institutions in these countries should remain on high alert.”