A cybercrime group dubbed Bluebottle has been linked to a set of targeted attacks against the financial sector in Francophone countries located in Africa from at least July 2022 to September 2022.
“The group makes extensive use of living-off-the-land, dual use tools, and commodity malware, with no custom malware deployed in this campaign,” Symantec, a division of Broadcom Software, said in a report shared with The Hacker News.
The cybersecurity firm said the activity shares overlaps with a threat cluster tracked by Group-IB under the name OPERA1ER, which has carried out dozens of attacks aimed at banks, financial services, and telecom companies in Africa, Asia, and Latin America between 2018 and 2022.
The attribution stems from similarities in the toolset used, the attack infrastructure, the absence of bespoke malware, and the targeting of French-speaking nations in Africa. Three different unnamed financial institutions in three African nations were breached, although it’s not known whether Bluebottle successfully monetized the attacks.
The financially motivated adversary, also known by the name DESKTOP-GROUP, has been responsible for a string of heists totaling $11 million over the four-year period, with actual damages touching $30 million.
The recent attacks illustrate the group’s evolving tactics, including employing an off-the-shelf malware named GuLoader in the early stages of the infection chain as well as weaponizing kernel drivers to disable security defenses.
Symantec said it couldn’t trace the initial intrusion vector, although it detected job-themed files on the victim networks, indicating that hiring related phishing lures were likely put to use to trick the targets into opening malicious email attachments.
What’s more, an attack detected in mid-May 2022 involved the delivery of an information stealer malware in the form of a ZIP file containing an executable screen saver (.SCR) file. Also observed in July 2022 was the use of an optical disc image (.ISO) file, which has been utilized by many a threat actor as a means of distributing malware.
“If the Bluebottle and OPERA1ER actors are indeed one and the same, this would mean that they swapped out their infection techniques between May and July 2022,” the researchers noted.
The spear-phishing attachments lead to the deployment of GuLoader, which subsequently acts as a conduit to drop additional payloads on the machine, such as Netwire, Quasar RAT, and Cobalt Strike Beacon. Lateral movement is facilitated through tools like PsExec and SharpHound.
Another technique adopted by the group is the use of a signed helper driver to terminate security software, a method that has been exploited by multiple hacking crews for similar purposes, according to findings from Mandiant, SentinelOne, and Sophos last month.
The fact that the same driver (called POORTRY by Mandiant) has been leveraged by several cybercriminal groups lends credence to the theory that these threat actors are using a code signing service to get their malware pass attestation mechanisms.
With the threat actors suspected to be French-speaking, it’s likely that the attacks could expand to other French-speaking nations across the world, the company cautioned.
“The effectiveness of its campaigns means that Bluebottle is unlikely to stop this activity,” the researchers said. “It appears to be very focused on Francophone countries in Africa, so financial institutions in these countries should remain on high alert.”
